FireEye Malware Intelligence Lab Outlines Guidelines To Combat Global Botnet Epidemic

April 16, 2009 at 12:00 AM EDT
FireEye Malware Intelligence Lab Outlines Guidelines To Combat Global Botnet Epidemic

San Francisco/RSA Conference 2009, California - Apr 16, 2009 – FireEye, Inc., the leader in global anti-malware and anti-botnet protection, today outlined a series of steps that individuals and organizations can take in the continuing battle against stealth malware and botnets. Current statistics vary, but estimates indicate that anywhere from 50 to 200 million systems worldwide are infected with stealth malware. Several cyber criminals have already been convicted of running widespread botnets of up to 100,000 machines. And as the global Conficker botnet epidemic continues to evolve and potential negative ramifications become clearer, it is more important than ever for employing consistent and proactive malware security measures.

FireEye's Malware Intelligence Lab makes the following recommendations:

1) Start with the basics: make sure to regularly patch operating systems, keep antivirus up-to-date, and tighten up firewall policies to block unwanted traffic from entering and leaving your network. For example users should consider blocking port 25 for both incoming and outgoing traffic, with the exception of mail server traffic.

2) Run checks for infection symptoms such as out-of-date machines: a clear sign that a system may have stealth malware is when machines stop connecting to get antivirus (AV) updates or Microsoft Windows updates. If there is an internal server for AV definitions/DAT files, check the logs (sorted by IP address) for a typical update window and see which active IP addresses seem to be missing.

3) Review gateway logs to uncover existing issues: by blocking outbound port 25, firewall logs may be able to uncover already infected machines used to spam out of your network. Other things to keep an eye out for include internal IP addresses making unusual numbers of DNS queries, MX lookups, and .cn, .info, and .ru lookups. These are signs of botnet command & control (C&C) server communications.

4) Set-up automated, transparent network monitoring: there are new solutions on the market that analyze inbound traffic for malware and outbound traffic for unauthorized C&C server communications. Techniques such as dark IP honeypots are also another option to place 'victim' machines on the IP addresses you do not currently use and see if they get attacked.

"Cyber criminals are relentless in their activities, and are continually fine-tuning their malware and botnets to have an impact on the greatest number of systems possible," said Alex Lanstein, senior security researcher at FireEye. "From outright theft of data to abuse of computing resources, cyber criminals use an array of schemes to infect PCs with stealth malware, and then abuse them to send spam email, spread more malware, steal data, or even attack other networks and computer systems. Both individuals and organizations need to incorporate consistent and proactive steps to minimize the damage of data breaches due to malware. Stealth malware is an invasive element seeking to profit from illegal access into a network."

For the latest updates on malware and botnet research, visit the FireEye Malware Intelligence Lab's blog at

The FireEye security appliances and FireEye Malware Analysis & Exchange (MAX) Network service together provide comprehensive anti-malware and anti-botnet protection. FireEye appliances use virtual victim machines to analyze enterprise networks for Web-malware and related bot activities on compromised machines. The FireEye MAX Network is a globally deployed malware discovery and analysis service that provides subscribers with the most current botnet and Web malware intelligence to complement on-premise anti-malware security appliances. It catalogs and disseminates security intelligence such as the inbound attack vector as well as the outbound call-back channels used to steal data. This is all derived from malware analyses which are conducted by interconnected networks of FireEye security appliances selectively deployed at service providers around the world. FireEye's solution offers the industry's first complete global and local anti-malware protection to precisely identify, understand, and stop emerging botnet and Web malware threats.

FireEye, Inc. is the leader in anti-malware and anti-botnet protection, enabling organizations to protect critical intellectual property, computing resources, and network infrastructure against Web malware and botnet infiltration. Today's most damaging attacks are perpetrated through Web malware that forms into highly organized botnets, or networks of remotely controlled, compromised machines. FireEye delivers a complete solution that is designed from the ground up to detect and protect organizations from advanced Web malware and botnets through global and local intelligence and analysis. The company is backed by Sequoia Capital, Norwest Venture Partners, JAFCO, SVB Capital, DAG Ventures, and Juniper Networks. For more information, contact (408) 321-6300 or email:


©2006-2009 FireEye, Inc. All rights reserved. FireEye and the FireEye logo are registered trademarks of FireEye, Inc. in the United States and/or other countries. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.