McAfee forms zombie-killer alliance

Security companies are banding together for the first time to work against viruses, worms, hackers and zombies
Written by Dennis Fisher, Contributor on

Recent threats such as the Code Red and Leave worms are proof that virus writers and hackers are pooling resources to produce hybrid weapons that can cause tremendous damage.

Now a group of security companies is following suit, hoping that by combining their efforts, they'll be better able to combat the new, sophisticated attacks.

McAfee, a division of Network Associates, this week will announce a research and development partnership with three anti-DDoS (distributed-denial-of-service) vendors -- Arbor Networks, Asta Networks and Mazu Networks -- with the goal of developing innovative technologies and techniques to detect and prevent DDoS attacks.

The alliance, a first among the normally isolationist security vendors, will involve the member companies exchanging research -- as well as researchers -- in an effort that officials said is just the beginning of a far-reaching initiative.

The long-term goal of the partnership is to develop and deploy a solution that will enable Internet service providers and data centres to identify when their networks are under a DDoS attack and also to discover and eliminate the "zombies" that attackers use to launch their assaults.

"Our research shows that there are tens of thousands of machines out there infected with Trojans," said Vincent Gullatto, senior researcher at McAfee. "We anticipate this problem will only get worse, especially since people seem to be resistant to updating their systems for some reason."

In the meantime, McAfee will announce this week that it has added to its Active Virus Defense product the capability to scan for and eliminate zombies. Anti-virus software typically scans SMTP traffic for email-borne viruses. McAfee's product will now monitor incoming and outgoing HTTP traffic for signs of a DDoS attack.

Arbor, Asta and Mazu were formed in the wake of last year's spate of DDoS attacks against several high-profile Web sites. Their products work by scanning incoming network traffic and searching for signs of packet floods.

The prospect of products combining anti-virus and anti-DDoS technology holds broad appeal for enterprise network administrators.

"That's something we would definitely be interested in. We could sure use it," said Joseph Dalessio, network manager at Major League Soccer LLC, in New York. "We've taken a proactive approach, so we haven't had too many negative experiences, but you never know what's out there. You have to be very conservative and paranoid."

For the anti-DDoS vendors, the partnership with McAfee is a golden opportunity to show that their nascent solutions can detect and shut down these attacks before they cripple corporate networks.

"Their zombie detection technology is a great fit with our products, and we'll be able to send alerts to their product that a system is sending or receiving an attack so that they can point their scans to that part of the network," said Ted Julian, chief strategy officer and co-founder of Arbor.

And the researchers said they're already making some headway in their work. "We're making some progress against the Code Red-type worms," said Steve Purpura, senior program manager at Asta, in Seattle. "This will help us understand how hackers are indexing these vulnerabilities and how to stop them."

Also on the horizon at McAfee is a technology, code-named Stinger, designed to identify programs such as Code Red through the use of advanced scanning and filtering.

For example, Stinger will be able to filter Internet Server API calls and perform memory scanning. Users will also be able to configure TCP/IP ports manually and receive alerts about anomalous network activity.

Stinger should begin making its way into McAfee products in March and will continue to be integrated into the product line throughout the first half of next year.

See the Viruses and Hacking News Section for the latest headlines.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards