Damballa: Combating BotArmies to Secure the Internet

Imagine a sophisticated network of Web robots, known simply as “bots,” that can run automated tasks over the Internet and are the root cause for much of the fraud perpetrated online. These software applications secretly install themselves on thousands – even millions – of personal computers, banding them together into BotArmies that maliciously fetch, analyze and store information from PCs and Web servers and commit online crimes.

This scenario is not science fiction. Rather, it’s rather what The New York Times called a “growing threat” of “zombie computers” last January. This threat is exactly what startup company Damballa, a new member company in Georgia Tech’s Advanced Technology Development Center (ATDC), will combat.

“The problem is that we as a community rely on the Internet for a lot of basic things, and our basic trust assumptions are now compromised,” observed CEO Steve Linowes. “There’s a fundamental change in the way compromises are happening. Traditionally, machines have been targets, meaning that the whole purpose of the attack was to go and conduct fraud or kill files on that particular machine. Now, they’re compromising the machine in order to commit fraud somewhere else.”

BotArmies are controlled by a BotMaster, who directs a vast number of bot-compromised computers via a command and control server. BotArmies are frequently used for distributed denial of service attacks; spamming; “sniffing” and “key logging,” which capture user information such as e-mails, home banking data, PayPal account information and passwords; identity theft; and hosting illegal software.

“These BotMasters are very smart and financially motivated. As a result, they are extremely stealthy,” noted Linowes. “They are renting and selling these armies online, and we’ve seen as many as four million machines under a single person’s control. We estimate that about 11 percent of the Internet is bot-compromised. Solving such a considerable problem has proven to be difficult because the BotMaster has a very real monetary incentive to stay ahead of traditional security countermeasures.”

The threat of bots is certainly a pervasive one. Approximately 90 percent of all spam originates from BotArmies, and 75 percent of enterprise organizations will be infected with bot malware in the next 12 months. The average cost to an organization is 50 to 100 times greater than a virus attack. And, according to Linowes, even the most prestigious enterprise organizations can become compromised without knowing it.

Damballa’s powerful and unique approach to identifying bots and their associated BotArmies uses a series of sensors embedded across the fabric of the Internet to monitor Internet traffic from key listening posts in order to identify fraudulent communications associated with BotArmies.

“We’ve built a platform that collects data from this range of sensors, brings it back into our analysis center, correlates the information, and then delivers it to our customers via structured data feeds that enable our customers to identify BotArmies and mitigate the threat,” said Linowes.

Damballa originated in VentureLab, a Georgia Tech program that provides comprehensive assistance to faculty members, research staff members and graduate students who want to form startup companies to commercialize the technology innovations they have developed.

“We are honored to be part of VentureLab and the ATDC family,” continued Linowes. “ATDC is known to produce high-growth companies, and we look forward to leveraging the resources offered to enhance Damballa’s presence in the market.”

Research News & Publications Office
Enterprise Innovation Institute
Georgia Institute of Technology
75 Fifth Street, N.W., Suite 314
Atlanta, Georgia 30308 USA

Media Relations Contact: John Toon (404-894-6986); E-mail: (john.toon@innovate.gatech.edu).

Writer: Nancy Fullbright