회사소개

제품

안내

고객지원

Company Overview

Product

Information

Support

Thông tin về công ty

Sản phẩm

Thông tin

Hỗ trợ chung

ZombieZERO Inspector

Network’s APT attack detection solution using sandbox-based virtual system

ZombieZERO Inspector

Introduction of ZombieZERO Inspector

“ZombieZERO Inspector is made up of a network-based detection and analysis system that operates as a virtual system.
Three step signature-based and behavioral analysis enables the system to prevent the internal potential threats in advance through detecting unknown, and variant malware.”

img

Categorization by file type

icon
Initial analysis
imgdecompression
imgAV Engine
(Bitdefender)

Signature-based analysis

icon
Secondary Analysis
imgFile execution monitor
(VM Access)
imgStatic analysis
(scripts, packing, etc.)
imgDynamic analysis
(behavioral monitor)
imgvirtual machine
imgvirtual machine

(Windows XP ~ 10 Support)

Supporting over 40 virtual machines

icon
Confirm
img
(option)

VirusTotal API interworking

icon
Response

img

Generation and distribution for blocking and quarantine patterns

Traffic Analysis and File Extraction

Collection of incoming files through traffic analysis

  • Collection of Incoming files being transferred via file transmission protocols such as Web, FTP, SMTP, IMAP, POP, etc.
  • Analysis of Incoming files with various extensions. (executable, compressed, document files, etc.)
Three Steps of Malware Analysis
npcore
Step 1
Detection on signature-based anti-virus engines.
npcore
Step 2
Behavioral analysis on static and dynamic engines.
npcore
Step 3
Verification on VirusTotal engines from Google.
  • Support signature-based and behavior-based analysis.
  • Quarantine for the infected PC through signature patterns of the detected malware.
Behavior-based analysis

Behavioral analysis on virtual systems

  • Provide the sandbox made up of static analytical engines and dynamic analytical engines.
  • Analyze the PE files (DLL, EXE, etc.), compressed files, and document files in various formats (MS Office, HWP, PDF, etc.).
  • Provide details about the analysis of the static analytical engine (PE-static, document-static) to detect attacks, source codes, and scripts aiming at software weaknesses.
  • Detection of malware attempting to bypass the virtual machines through the manipulation that eliminates virtual machine aware codes and forcing it into execution.

ZombieZERO Inspector Strengths

Dual Detection and Blocking of C&C Server Connection
  • Detection of C&C connection through analysis of outbound URL and URI connecting patterns.
  • Dual monitoring and blocking (DNS Sinkhole, TCP Reset) C&C server connections from internal users.
  • Live-update for C&C database in real-time by interworking with NPCore and KISA (Korea Internet and Security Agency) analytical centers.
Detection of Malicious Behavior through the Intelligent Analysis of Incoming and Outgoing Traffic
  • Integrated analysis per session
  • Harmfulness inspection on the network behaviors of files (DNS, URL, and etc)
  • Detection of ‘Bot net’ communications by the relevance search in the massive (high-volume) traffic situation
Analysis in High-volume Traffic
  • Collect all packets on 20Gbps bandwidth, even with a small packet size.
  • NPCore’s Multi-core Processing “SmartNIC” with its own traffic-processing capacity enables Advanced Analysis in High-volume Traffic

ZombieZERO Inspector Specifications

ZombieZERO Inspector

Model Inspector 500 Inspector 1000 Inspector 2000 Inspector 5000
Dectector + Analyzer Dectector + Analyzer Dectector Analyzer Dectector Analyzer
Traffic Coverage ~ 300Mb ~ 1Gb ~ 4Gb ~ 20Gb
Agent Coverage ~ 500 User ~ 1,000 User ~ 5,000 User ~ 10,000 User
malware/min 5 10 20 40
CPU Intel Xeon
3.1GHz
Intel Xeon
3.4GHz
Intel Xeon
3.4GHz
Dual Intel Xeon
2.1GHz
Dual Intel Xeon
2.1GHz
Dual Intel Xeon
2.1GHz
Memory DDR3 24GB DDR3 32GB DDR3 32GB DDR3 64GB DDR3 32GB DDR3 128GB
RAID SAS 512GB SAS 512GB AS 512GB SAS 1TB SAS 512GB SAS 2TB
OS ESXi ESXi ESXi ESXi ESXi ESXi
Management
Interface
2 x 10/100/1000Base-T 2 x 10/100/1000Base-T 2 x 10/100/1000Base-T 2 x 10/100/1000Base-T 2 x 10/100/1000Base-T 2 x 10/100/1000Base-T
Network
Interface
4 x 1GbE Copper 4 x 1GbE Copper /
4 x 1GbE SFP
4 x 1GbE SFP
Accelerator
4 x 10GbE SFP
Accelerator
Virtual OS 5EA 10EA 20EA 40EA

ZombieZERO ESM

Model ESM 500 ESM 1000 ESM 2000 ESM 5000
Coverage ~ 1,000 User ~ 2,000 User ~ 5,000 User ~ 10,000 User
CPU Intel Xeon 3.1GHz Intel Xeon 3.1GHz Intel Xeon 3.4GHz Intel Xeon 3.5GHz
Memory DDR3 8GB DDR3 16GB DDR3 16GB DDR3 32GB
HDD 500GB 500GB 1TB 1TB
OS Windows 2008 R2 Windows 2008 R2 Windows 2008 R2 Windows 2008 R2
Management
Interface
2 x 10/100
/1000Base-T
2 x 10/100
/1000Base-T
2×10/100
/1000Base-T
2×10/100
/1000Base-T