Daily Archives: August 17, 2006

Startup Aims to Detect and Thwart Botnets

An Atlanta-based startup company, an outgrowth of research conducted at the Georgia Institute of Technology, believes it can passively identify botnet communications and then take proactive measures to thwart bots from working in concert to wreak Internet havoc.

The company’s name is Damballa, and it received $2.5 million in Series A funding in June (or perhaps in April) from venture capital firms Sigma Partners, Noro-Moseley Partners, and Imlay Investments, as well as others. Its core technology is based on research led by Merrick Furst, an associate dean at Georgia Tech’s College of Computing and a noted researcher of bot behavior.

Furst, the president of the new company, recruited some of his research colleagues from Georgia Tech to Damballa, which named veteran Internet executive Steve Linowes as its CEO earlier this year.

Citing its stealth status, the principals behind Damballa have been reluctant to speak publicly about what the company is doing, but we do know that whatever they’re doing is being done exclusively for US federal government agencies, at least for now.

Actually, we have a pretty good idea what Damballa is attempting to do.

In an interview with CNN in late January, Furst explained botnets and how they work. He also listed the various types of damage that botnets could unleash, including denial-of-service (DoS) attacks and associated extortion scams, distributed spam onslaughts, key logging, click fraud (which targets advertisers who users advertising platforms such as Google’s), and trust fraud (which targets buyers on auction sites such as eBay).

Furst revealed that bots could account for seven percent of Internet-connected computers. which translates into 75 million to 100 million personal computers conscripted for malicious purposes by so-called botmasters. In Georgia Tech’s laboratory, Furst and his team had collected the IP addresses of 12 million machines that belonged to botnets.

Click fraud is a hot topic at the moment, so here is an excerpt of Furst discussing how botmasters use their zombie minions to do their nefarious bidding:

So let me tell you how a botmaster makes money with click fraud. … They’ll build a Web site that looks like a normal Web site. They’ll put up banner ads, or other types of ads on their Web site, and these are ads served up by Google. Google contracts an advertiser to put up ads on sites — [unwittingly] contracts the botmaster online to put up ads on that botmaster’s site. … So [the botmaster] commands the machines in his bot army to click on the ads on this site. Every time one of his machines click, the message goes back to Google, Google charges the advertiser, the advertiser pays Google, Google keeps 20 percent and [unwittingly] gives 80 percent to the botmaster. … Let’s say even if [the botmaster] controls a small army of 5,000 machines, which is very small in this game — he can make $15,000 a month in click fraud.

One might be think it would be worth Google’s time and effort to invest in or otherwise support a new venture looking to combat that sort of malevolence.

There’s no question that Furst cited real problems in the CNN interview, but does his team at Damballa have a silver bullet that can slay the criminal threats posed by botmasters and the effectiveness of their zombie armies?

Since Damballa isn’t revealing anything about what they will develop and when it will reach market, it’s impossible for us to pass definitive judgment. Still, some clues exist that strongly delineate the the approximate technology foundations on which the company is likely to build its first commercial products.

In a research paper published on the Advanced Computing System Association’s Usenix website, researchers from Georgia Tech describe how monitoring DNS-based lookups of DNS blacklists can help identify bots and ultimately frustrate their interactions with members of their own and other botnets in real time. One of the core observations from their research, on which Damballa might be building a commercial product, is that the patterns of DNS lookups by bots — which check to see whether they, or members of bots on their botnet or another botnet, have been blacklisted — evince different patterns than those initiated by legitimate computer systems, such as email servers.

At first glance, it would seem this approach has some potential. Then again, what’s to stop malicious botmasters from varying the behavior of the bots under their command to escape known pattern-recognition detection? Furthermore, there remain several several unanswered questions relating to the approach described in the research paper, including about how such a system would avoid false positives — such as wrongly identifying an email system or other legitimate computer as a bot.

From my digging, I have been able to discover that Damballa’s early government-agency customers probably are the the Federal Bureau of Investigations (FBI) and the US Navy.

I think Damballa has the potential to make a significant contribution to the battle against pernicious botnets, but, like a lot so many security approaches and technologies before it, Damballa’s probable offerings will be in a constant race to stay one step ahead of endlessly creative online malefactors.

Lenovo Poaches Two More Dell Executives in Asia

The Lenovo Group continues its push to restock its Asian executive suites with Dell refugees.

According to a news story from the Associated Press, two of Dell Inc.’s top Asian executives, including the head of its China business, have left the tottering PC market leader to take similar positions at Lenovo.

David D. Miller, former president of Dell China, has been named Lenovo’s Asia-Pacific president and senior vice president. Miller joined Dell in 2000; he led its Australian operations before shifting to China last year. In his new role, Mr. Miller will be based in Singapore, rather than with Lenovo’s other top brass in Beijing.

Meanwhile, Sotaro Amano, former corporate director of Dell’s Japanese home and business sales, will become president of Lenovo Japan Ltd., effective Sept. 1.

These moves were anticipated by many observers. Miller and Amano are following in the footsteps of Bill Amelio, who ran Dell’s Asia Pacific business before becoming Lenovo’s chief executive officer in December.

Still, anticipated or not, these moves represent yet another significant setback for Dell, whose numerous product-quality and customer-service travails are tarnishing the company’s brand and reputation.

In Asia, both Lenovo and HP are said to be gaining competitive ground at Dell’s expense. It won’t get any easier now, with Dell having to replace key executives in high-growth Asian markets.

HP Puts Boots to Dell, Chugs Along Across the Board

Hewlett-Packard shares traded at a 52-week high today after the company announced fiscal third-quarter results and guidance for the fourth quarter that surpassed the expectations of market analysts.

I won’t dwell on the results here since you can find them on HP’s website, and relatively extensive coverage has been provided in the business press and on the newswires.

There are a few points, however, that I wish to belabor.

First, HP is on track to surpass IBM as the biggest revenue-generating company in the technology industry, In fact, during the past twelve months, HP already has vaulted past IBM, with $90 billion in revenue compared to IBM’s $88.5 billion. That’s a development that wasn’t widely foreseen a year back, and it’s a testament to what HP has done right as well as to what IBM has failed to do.

Second, the inexorable efficiency of HP CEO Mark Hurd’s executive team is eliminating bureaucracy and gratuitous costs from HP’s capital and operational expenditures. Now, the concern is whether they will know when to stop.

Third, HP is outpacing the industry in PC sales, clearly taking away share from Dell in both the fast-growing notebook segment and in desktops. Again, HP has benefited as much from Dell’s miscues as from its own improved execution. Dell cannot seem to get through a week without experiencing an incendiary laptop, a service-related misadventure, an unprecedented battery recall, product-quality issues, or falsely advertised product specifications.

Even so, HP can only make those market-share gains sustainable if it avoids falling into the same trap that ensnared Dell. HP must spend enough on its products, and attendant support services and marketing programs, to retain a quality and execution advantage.

Dell became obsessing about wringing costs from a structure that already was too lean, and it got the point where it was cutting muscle, not fat. Consequently, Dell’s hyper-effiency mania had deleterious effects on product quality, customer service, and ultimately — and perhaps permanently — on the company’s brand.

HP needs to learn from its competitor’s myopia and to show more foresight and perspective.

Finally, HP didn’t mention its ProCurve networking group at all in announcing these latest results. It is impossible — well, for me, anyway — to ascertain where HP accounted for the revenue and earnings that the group generated. That leads me to think that ProCurve remains on the block, and that it might be divested before the end of the calendar year.