Countering the Zombie Threat

Commtouch Approach

Amir Lev, President and CTO, Commtouch

amir.lev@commtouch.com
May 2008
 Zombies - The Core of Malicious Activity
Financial Blended
Fraud Threats

DDoS Zombies Spam

Phishing (Fast Flux) Malware

www.commtouch.com
 Zombies - Main Source for Messaging Threats
Zombie-generated spam has escalated in quantity and size
ƒ 85% of all unwanted mail; 130 billion messages daily
ƒ Attachments (PDF, Image) bloat bandwidth and storage

Zombie-generated malware speed has skyrocketed

ƒ 1000s of variants

ƒ Traditional AV has built-in delay

Zombie-generated blended threats mounting

ƒ Multiple malicious activities using the same
infection source

www.commtouch.com
 Zombie Web Threats
ƒ Phishing – Hosting spoofed web sites
to acquire sensitive information
ƒ DDoS – Enormous financial losses by
paralyzing critical online systems
ƒ Click Fraud - 15.8% of all advertising
clicks are fraudulent(Click Forensics Q2-07)

ƒ Financial Fraud - Theft of sensitive

data & conducting online transactions
www.commtouch.com
 No One Is Immune
Targeted Population Zombie Threat
Enterprises Theft of leakage of sensitive data, DDoS, spam

ISPs Customer dissatisfaction, wasted IT resources due

to blocked IPs

Advertising Providers Revenue losses from click fraud

Home Users Identity theft, financial scams, spam, malware

Financial Institutions Credit card and other financial fraud

www.commtouch.com 4
 Anatomy of a Zombie
Number of active zombies per day 5-10 million
Typical number of zombies per
10,000-200,000
single botnet
New zombies that come ‘alive’ every
200,000-500,000
24 hours

Spam, phishing, malware, command

Typical zombie activities
& control, data theft, click fraud

Spam activity on the Internet

Over 85% of global spam
accounted for by zombies

Typical number of messages a Up to 1 billion spam messages in a

botnet sends few hours

www.commtouch.com 5
 Newly Active Bots per day
377,000 zombies/Bots are activated each day, on average

www.commtouch.com Source: Commtouch Online Lab 6

 Global Distribution of Bots

www.commtouch.com 7
Source: Commtouch Online Lab, http://www.commtouch.com/Site/Resources/ZombieMonitor.asp
 Active Zombies: Activity Level Breakdown

www.commtouch.com 8
Source: Commtouch Online Lab, http://www.commtouch.com/Site/Resources/ZombieMonitor.asp
Using “In-the-cloud” Pattern Detection
to Identify Threats
 Recurrent Pattern Detection™ (RPD)
Patent #6-330-590

1. Smart Collection of traffic data:

• Strategically located collectors plus thousands of deployed
products
• Global traffic gathering
• Billions of transactions
www.commtouch.com 10
 Recurrent Pattern Detection™ (RPD)
Patent #6-330-590

2. Pattern Analysis:
• Email structure patterns –
identify that a message is
being sent in high volume
(plus speed of distribution)
• Distribution patterns –
detecting source(s) of
distribution for threat
classification

www.commtouch.com 11
 “In the Cloud” Pattern Detection

www.commtouch.com
 Comprehensive Traffic Coverage
Traffic Source Traffic Types
Backbone service Consumer, SMB, enterprise
providers
Desktop SW vendors Consumer

MSPs SMB

Appliance vendors Enterprise

For over 1 billion messages per day:

sender IP and spam/ virus data is collected
www.commtouch.com
Using Spam Patterns to Detect Zombies
Billions of messages Attack patterns detected Patterns are IP sourced
analyzed
81.12.100.5 10.1.1.10

60.1.5.10 70.1.5.10

123.1.88.11 123.1.88.10

IPs collected in database Database continually updated

10.1.1.10
10.1.1.10 64.9.88.100
64.9.88.100 42.12.12.220
42.12.12.220
8.12.100.51
8.12.100.51 77.100.1.1
77.100.1.1 8.12.100.51
8.12.100.51
70.1.5.10
70.1.5.10 77.100.1.2
77.100.1.2 8.12.100.51
8.12.100.51
60.1.5.10
60.1.5.10 10.1.1.10 87.12.9.66
10.1.1.10 87.12.9.66
123.1.88.10
123.1.88.10 35.2.2.150
35.2.2.150 87.2.5.114
87.2.5.114
123.1.88.11
123.1.88.11 88.21.0.14
88.21.0.14 8.12.100.51
8.12.100.51

Newly Time to Live on all

discovered IPs IPs assures
added` information remains
up to date
www.commtouch.com 14
 Using Patterns to Map the Bot Nets

www.commtouch.com 15
 Crossing Phishing and Zombie Sources
Risk Level

IPs
www.commtouch.com
 Zombies & Commtouch Offerings

Zombie Data

Zero-Hour GlobalView GlobalView

Anti-Spam Virus Mail Zombie Web Security
Protection Reputation Intelligence

Detection Center

www.commtouch.com
 About Commtouch (NASDAQ: CTCH)
ƒ Messaging vendor since 1991
ƒ Developing outbreak detection technology since
1998
ƒ “In-the-cloud” computing pioneers (since 1996)
ƒ More than 50,000,000 mailboxes protected by
Commtouch via appliances, gateways, managed
services, desktop applications
ƒ About 100 OEM Partners, including Check Point,
Openwave, Tumbleweed, Watchguard, Sendmail,
F-Secure, Proofpoint…
ƒ Profitable company, positive cash flow, double
digit growth
www.commtouch.com 18
 Partners Are Our Business
Email Security Network Security Anti-Virus Managed Services

www.commtouch.com
Thank You

Amir Lev
amir.lev@commtouch.com