FireEye network battles bots

Botwall Network puts malware appliances in service provider networks

FireEye is installing malware detectors in ISP networks so it can tell its corporate customers when their machines have been commandeered by bots.

The company has installed between 10 and 20 nodes of its Botwall appliances in the networks of five ISPs to locate bot command-and-control servers and individual zombie PCs that have been taken over by bots.

Called Botwall Network, the service reports which machines in customer networks are communicating with bot servers or are attempting to propagate bot maleware to other machines, says Ashar Aziz, president and CEO of FireEye.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

FireEye is installing malware detectors in ISP networks so it can tell its corporate customers when their machines have been commandeered by bots.

The company has installed between 10 and 20 nodes of its Botwall appliances in the networks of five ISPs to locate bot command-and-control servers and individual zombie PCs that have been taken over by bots.

Called Botwall Network, the service reports which machines in customer networks are communicating with bot servers or are attempting to propagate bot maleware to other machines, says Ashar Aziz, president and CEO of FireEye.

The company recommends that these machines be reimaged to make sure the bot software is eliminated entirely.

“The idea is that by putting their appliances in with ISPs, they can see more traffic and can react better at client sites,” says Raffi Jamgotchian, CIO of Canaras Capital in New York City. Canaras has a FireEye appliance in its network to detect many kinds of malware, but the network service can help pinpoint bots, he says.

The network can also give a broader perspective on attacks, says John Oltsik, an analyst with Enterprise Strategy Group. For instance, if bot activity is detected in the Asia-Pacific region via Botwall Network, it can help customers in regions where the bot has not yet started to work to protect themselves, he says.

FireEye gear monitors network traffic looking for anomalies and suspicious traffic patterns, and when it identifies suspect code, runs it on virtual machines within the Botwall appliance to determine whether it is malicious and what it does when executed.

The devices can block malicious traffic using port blocking, null routing or TCP connection resets. They also log suspicious activity and actions they take and alert IT management to traffic it flags.

With Botwall Network, customers can let their FireEye appliances report suspicious behavior to the network to add data on overall global malware activity. FireEye will not reveal in which service provider networks it has established nodes of Botwall Network.

The approach is similar to Symantec’s DeepSight System, which also uses customer input to discover threat behaviors on the Internet, Oltsik says.

FireEye is also introducing two new Botwall appliances, the Botwall 4100 and the Botwall 4700. They have the same features as the company’s earlier Botwall 4200, but differ in performance.

The previous 4200 has 1Gbps throughput and the 4100 has 250Mbps, while the 4700 has 6Gbps of throughput.

Botwall 4100 costs $10,000 for the hardware plus $10,000 per year for software maintenance, which includes reports from Botwall Network. Botwall 4700 costs $60,000 plus $60,000 per year for software maintenance.  

Read more about security in Network World's Security section.