Sophos ZombieAlert Service identifies spammer-controlled computers on business networks

July 13, 2005 Sophos Press Release

Sophos, a world leader in protecting businesses against spam and viruses, has announced the launch of Sophos ZombieAlert™, a new alert service that identifies 'zombie' computers on an organisation's network. Zombie computers are infected machines that give control to unauthorised and remote users, allowing them to send spam from the computer or to launch email-based Denial-of-Service (DoS) attacks.

SophosLabs, Sophos's global network of virus and spam analysis centres, estimates that more than 50 percent of all spam today originates from zombie computers. In May, the Sober-Q Trojan horse and Sober-N worm worked in tandem to infect and hijack computers around the world, programming them to spew out German nationalistic spam during an election. As spammers become more aggressive - collaborating with virus writers to create armies of zombie computers - legitimate organisations with hijacked computers are being identified as a source of spam. This not only harms the organisation's reputation, but can also cause the company's email to be blocked by others.

ZombieAlert advises service subscribers when any computer on their network is found to have sent spam to Sophos's extensive global network of spam traps, and provides rapid notification to customers if their Internet Protocol (IP) addresses are listedin public Domain Name Server Blackhole Lists (DNSBL). This information helps customers locate, disinfect, and protect these systems from future attacks.

"Aside from consumers, organisations such as educational institutions and governments probably face the greatest risk of becoming part of a zombie computer network because they have both remote and home users," said Carole Theriault, security consultant at Sophos. "ZombieAlert never sleeps, providing round-the-clock surveillance of spam seen spreading across the internet, and determining its origin."

For Internet Service Providers (ISPs), the problem is equally as critical, since consumers are also prominent targets. This service enables ISPs to identify and alert consumers to the threat while providing the opportunity to recommend that end-users practice safe computing habits.

"Sophos's global network of threat analysis centres is ideally positioned to advise on new and emerging threats, such as compromised computers spewing spam," continued Theriault. "Once compromised computers have been identified by the service, we can help affected users remedy the situation, clean-up their systems and fortify their defences against future attack."

"Sophos is the first vendor we know of to offer an on-the-fly alert service that advises organizations that they are being used to host zombies," said David Ferris of Ferris Research. "This service is unique and very timely. I would anticipate that competitors would soon follow suit."

"Our IT support staff spends a lot of effort and has good success protecting desktop systems and servers," said Alan Pfeiffer-Traum, enterprise system administrator and electronic mail postmaster at the University of Houston. "It's a real challenge to extend that protection to computers that faculty and students bring with them to campus every day, not to mention those that access the campus VPN. Despite of our efforts, zombies happen. ZombieAlert is a very effective tool to catch those hijacked computers in the act. I especially appreciate that I don't have to depend on received complaints to be alerted - I can say we detected the abuse through our own monitoring."