Botnets--armies of enslaved computers that have been infected with carefully crafted worms or viruses--are responsible for more than 80 percent of the over 100 billion spam messages e-mailed daily. Antivirus programs are often ineffective against them, because the software typically works by scanning a computer for signatures of known viruses--and the viruses that turn computers into bots are often too new for these characteristic patterns to have been identified. Christopher Kruegel, a security researcher in the computer science department at the University of California, Santa Barbara, has developed technology that can ferret out an infection even if the virus or worm has no known signature. In 2009, he cofounded a startup called LastLine to commercialize the technology.
It works by detecting when a botnet virus is communicating with its master servers, as it must do to get its commands or to send back data--say, your passwords and credit card numbers. To identify these communications amid legitimate network traffic, Kruegel's research group analyzed tens of thousands of malware samples per day and teased out the command-and-control messages common to botnets.
Catching these communications makes it possible to block the master servers, forcing criminals to move their infrastructure or redirect their communications. In effect, Kruegel isolates the previously infected computers, neutralizing the infection even if it hasn't been wiped from your hard drive.--David Talbot
