02:22 PM

ZombieAlert Scours Corporate Networks For Spam-spewing PCs

A U.K.-based security firm is touting a new service that scours corporate networks for zombies -- PCs that have been hijacked without the owner's knowledge and turned into spam-spewing engines.

A U.K.-based security firm is touting a new service that scours corporate networks for zombies -- PCs that have been hijacked without the owner's knowledge and turned into spam-spewing engines.

Sophos on Wednesday launched the alert service, dubbed ZombieAlert, that warns business, educational, and government administrators when some of the machines on their networks turn into the walking dead. So-called "zombies" account for more than half the world's spam, said Sophos.

Tracking down zombies, however, isn't easy.

Rather than monitoring systems internally for evidence of spam zombies, Sophos analyzes the millions of messages passing through its spam traps -- sometimes called "honeypots" -- traces such spam to its originating domain and IP address, then notifies customers when one of their machines is found sending spam.

"Once we get spam, we identity who it's from -- down to the machine within a company -- contact the administrator directly and point him to where the spam's coming from," said Gregg Mastoras, a senior security analyst at Sophos.

ZombieAlert, said Mastoras, is a more flexible and less intrusive way to spot anomalous behavior than traditional traffic monitoring. "Zombie traffic isn't always consistent. It will come on for a day or two, then go away, only to come back later. And many zombie controllers purposefully run a small number of messages through each zombie, hoping to escape detection."

ZombieAlert, however, will notify an administrator at the first instance of a detected spam message coming from a network.

One beta test site, the University of Houston, called the service "a very nice add-on" to existing security defenses.

"Our traffic monitoring would catch the really bad cases," said Alan Pfeiffer-Traum, the university's enterprise system administrator. "But not the typical zombie. So we depended mostly on complaints. But this way I can say we detected the abuse through our own efforts."

Within the first two weeks of using the service, Pfeiffer-Traum was alerted to a half-dozen zombie cases, most of them involving one or two PCs each, almost all of them student systems in the university's residence halls.

"One way to tackle the problem [of spam zombies] might be to restrict outbound SMTP traffic, but that's really impossible in our situation. For the students on campus, the dorm is like their home, and they look to us as their ISP. This really fits into our process."

After he receives an alert, said Pfeiffer-Traum, he notifies support staff, who immediately disable the offending machine(s) ability to send mail. Later, a tech support representative makes a house call and cleans the PC of the malicious code that made it a zombie in the first place.

ZombieAlert, which is rolling out first in North America and Australia -- later in Europe and Asia -- can be added to existing Sophos services, or purchased separately. A ball-park price, said Mastoras, is approximately $15,000 annually.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of January 18, 2015.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.