DOCSLIB.ORG

Symantec Intelligence Report: July 2012

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Symantec Intelligence Report: July 2012 Symantec Intelligence Symantec Intelligence Report: July 2012 Attacks use Olympics as bait for spam, malware and phishing attacks; the state of Web attack toolkits in 2012 Welcome to the July edition of the Symantec Intelligence report, which provides the latest analysis of cyber security threats, trends, and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks. The data used to compile the analysis for this report includes data from January through June 2012. Report highlights • Spam – 67.6 percent (an increase of 0.8 percentage points since June): page 14 • Phishing – One in 475.3 emails identified as phishing (a decrease of 0.003 percentage points since June): page 17 • Malware – One in 340.9 emails contained malware (a decrease of 0.023 percentage points since June): page 19 • Malicious Web sites – 2,189 Web sites blocked per day (an increase of 4.0 percent since June): page 21 • Olympic related scams and threats to keep an eye on: page 2 • Web attack toolkit activity in the first six months of 2012: page 7 • A roundup of the best blogs of the last month: page 11 Introduction In this month’s report we take a look at the various attacks being perpetrated using an Olympic theme. It seems attackers are taking to social networking to spread threats, attempting to compromise mobile devices, and trying a number of different spam and phishing related scams surrounding the Games. We’ll look at each of these areas in detail this month. We’ll also look at Web attack toolkits and how attackers have been making use of them since we reported about their activity in Volume 17 of the Internet Security Threat Report1. As predicted in ISTR 17 for 2011, their use has increased since the end of last year, but the ways in which they are being deployed is also changing. Finally, we take a broader look at some of the more significant and interesting threats that Symantec’s Security Response team has been tracking in recent weeks —from printing-related threats, to the latest Android malware, including the impact of the attempted takedown of Grum, one of the largest spam-sending botnets in the threat landscape. I hope you enjoy reading this month’s edition of the report, and please feel free to contact me directly with any comments or feedback. Paul Wood, Cyber Security Intelligence Manager [email protected] @paulowoody 1 http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_2011_21239364.en-us.pdf Page 1 of 24 Report analysis Let the Games begin As this month’s report goes to press, the 2012 London Olympics are fully underway. As with other major sporting events, including the soccer World Cup in 2010, attackers attempt to take advantage of people’s interest in the events, more recently launching a variety of attacks and scams with Olympic-based themes. Similar sporting-themed attacks took place during the 2008 Olympics in Beijing and during the 2010 World Cup2 in South Africa, so this is not a new phenomenon, but the social engineering employed in many of these attacks may be unfamiliar to a new audience. For the most part there may only be a few differences in the attacks; for example, spammers began their Olympic campaigns quite early3, sending out the first span runs clear back in March 2011. Attackers have also tailored their attacks towards mobile devices and social networks as well. Let’s have a look at some of the Olympic-related threats and scams out there. Twitter bots Attackers have been actively using Olympic-related trending topics on Twitter recently in order to entice people to click on malicious links. The Tweets appear to be generated by bots, with poorly constructed, ambiguous sentences. Figure 1 – Example of a Twitter bot Tweet linking to malicious content The shortened URLs lead to fake pages that appear to cover a variety of topics, including business strategy tips and health-related themes. However, the real purpose of these sites is to spread malware. An attack toolkit is set up on the back end of the pages and will attempt to install trojan back doors or fake security software on vulnerable computers that visit these Web sites. For instance, the attack might play out similar to this video.4 The accounts themselves are generally created the day the Tweets are sent, rarely have any followers, and rapidly post a few Tweets each minute using a wide variety of hash tags linked to trending topics. Twitter has been quick to identify these accounts and suspend them, generally within a few hours of their creation. 2 http://www.2010netthreat.com/ 3 http://www.symantec.com/connect/blogs/spammers-begin-their-games-early 4 http://www.youtube.com/watch?v=Upciy-g_n28 Page 2 of 24 Fake Olympic scandals There also have been a few instances of spammers attempting to trick users into downloading malware. For example, one spam email we’ve recently encountered hints at a doping scandal, and includes a link to a website that mimics YouTube. The video in question purports to be about the supposed scandal, but instead of playing the video, it tells the user to install a new version of Flash Player. If the user clicks OK and runs the executable, they will infect the computer with a trojan. This threat contacts a large list of malicious domains, attempting to download further malware, thus opening the computer to a variety of threats. Figure 2 – Fake video website attempting to trick the user into downloading a trojan Page 3 of 24 Android.Opfake The attackers behind Android.Opfake5, which we discussed back in the May report6, are not ones to let an opportunity such as the Olympics go by without trying to use the topic to spread their malware. Irfan Asrar, a Security Response Manager focused on mobile threats, has been keeping a close eye on this threat. “The authors behind Android.Opfake are now going after apps related to the London 2012 Olympics” says Asrar. He recently noticed the attackers bundling their threat with a copy of a legitimate Olympics application. The legitimate app, a game promoting some of the more popular Olympic sports, was copied and repackaged with the trojan and then distributed on a Russian Android app marketplace. Figure 3 – Android.Opfake repackaged with Olympic-themed game If installed, the trojan will send premium-rate SMS messages from the compromised device, leading to profits for the attackers and an increased mobile phone bill for the user. Fortunately Symantec customers are covered. “Users of Norton Mobile Security will be warned upon visiting the site distributing the malware,” says Asrar. 5 http://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-2732-99 6 http://www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_05_2012.en-us.pdf Page 4 of 24 Olympic-themed spam and scams We discussed Olympic spam scams back in May7, highlighting a lottery-style scam in the report. The spammers have continued sending out a wide variety of spam since then. We took a look at an assortment of Olympic-related subject lines that have been in use since May, and the frequency that they appeared each day. While there was an especially busy period for a week in mid-June, the spam rate has increased steadily for the most part, effectively doubling from late May to late July, when the Games began. 120 100 80 60 40 20 0 Figure 4 – Chart showing the increase in Olympic related spam and scams The scams behind these spam runs are generally focused on gathering personal information from the user. Mathew Maniyara, a Security Response lead in Pune, India, has been monitoring similar Olympic-related scams and has provided the following analysis of two such scams: Cybercriminals lean on Olympics 2012 By Mathew Maniyara Even before the Summer Olympic Games began on 27 July 2012, online scammers had already taken the opportunity to target users. Here at Symantec we have kept track of spam and phishing attacks that offered free gifts related to the sporting event, and would like to show you a few scenarios that the attackers are playing out. In the first example, the phishers masquerade as a MasterCard™ promotion and created an eye-catching phishing site. The phishing pages, hosted in Brazil, included several fake offers such as “Win Free Trips to the 2012 Summer Olympics in London!”, “Participate and win laptops, cameras and many great prizes.”, and “MasterCard and you in the Olympic Games!” The London Olympics logo was placed at the center of the page and below the logo were images involved in the event. The images included the London Olympic Stadium, Wembley Stadium, the North Greenwich 7 http://www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_05_2012.en-us.pdf Page 5 of 24 Arena, and the London Underground promoting the London Olympics. Customers were prompted to participate in the offers by clicking a button labeled “Participate now.” Figure 5 – Example of an Olympic-themed phishing scam Upon clicking the button, customers would be redirected to the next phishing page that asks for the user’s confidential information. The information includes full name, email address and password, date of birth, credit card number, name on card, and security code. After the required information is entered, the phishing site acknowledges the registration with the message: your registration was successful! good luck! number of the protocol 1342410522 Spammers have also been targeting customers by using fake gift cards from Visa™, reportedly worth USD $1,000. By clicking a link provided in the spam mail, the user would be redirected to a fake survey page where the user is required to answer questions related to the London Olympics.
Load more

Recommended publications
  • Click Trajectories: End-To-End Analysis of the Spam Value Chain
    Click Trajectories: End-to-End Analysis of the Spam Value Chain ∗ ∗ ∗ ∗ z y Kirill Levchenko Andreas Pitsillidis Neha Chachra Brandon Enright Mark´ Felegyh´ azi´ Chris Grier ∗ ∗ † ∗ ∗ Tristan Halvorson Chris Kanich Christian Kreibich He Liu Damon McCoy † † ∗ ∗ Nicholas Weaver Vern Paxson Geoffrey M. Voelker Stefan Savage ∗ y Department of Computer Science and Engineering Computer Science Division University of California, San Diego University of California, Berkeley z International Computer Science Institute Laboratory of Cryptography and System Security (CrySyS) Berkeley, CA Budapest University of Technology and Economics Abstract—Spam-based advertising is a business. While it it is these very relationships that capture the structural has engendered both widespread antipathy and a multi-billion dependencies—and hence the potential weaknesses—within dollar anti-spam industry, it continues to exist because it fuels a the spam ecosystem’s business processes. Indeed, each profitable enterprise. We lack, however, a solid understanding of this enterprise’s full structure, and thus most anti-spam distinct path through this chain—registrar, name server, interventions focus on only one facet of the overall spam value hosting, affiliate program, payment processing, fulfillment— chain (e.g., spam filtering, URL blacklisting, site takedown). directly reflects an “entrepreneurial activity” by which the In this paper we present a holistic analysis that quantifies perpetrators muster capital investments and business rela- the full set of resources employed to monetize spam email— tionships to create value. Today we lack insight into even including naming, hosting, payment and fulfillment—using extensive measurements of three months of diverse spam data, the most basic characteristics of this activity. How many broad crawling of naming and hosting infrastructures, and organizations are complicit in the spam ecosystem? Which over 100 purchases from spam-advertised sites.
    [Show full text]
  • Zerohack Zer0pwn Youranonnews Yevgeniy Anikin Yes Men
    Zerohack Zer0Pwn YourAnonNews Yevgeniy Anikin Yes Men YamaTough Xtreme x-Leader xenu xen0nymous www.oem.com.mx www.nytimes.com/pages/world/asia/index.html www.informador.com.mx www.futuregov.asia www.cronica.com.mx www.asiapacificsecuritymagazine.com Worm Wolfy Withdrawal* WillyFoReal Wikileaks IRC 88.80.16.13/9999 IRC Channel WikiLeaks WiiSpellWhy whitekidney Wells Fargo weed WallRoad w0rmware Vulnerability Vladislav Khorokhorin Visa Inc. Virus Virgin Islands "Viewpointe Archive Services, LLC" Versability Verizon Venezuela Vegas Vatican City USB US Trust US Bankcorp Uruguay Uran0n unusedcrayon United Kingdom UnicormCr3w unfittoprint unelected.org UndisclosedAnon Ukraine UGNazi ua_musti_1905 U.S. Bankcorp TYLER Turkey trosec113 Trojan Horse Trojan Trivette TriCk Tribalzer0 Transnistria transaction Traitor traffic court Tradecraft Trade Secrets "Total System Services, Inc." Topiary Top Secret Tom Stracener TibitXimer Thumb Drive Thomson Reuters TheWikiBoat thepeoplescause the_infecti0n The Unknowns The UnderTaker The Syrian electronic army The Jokerhack Thailand ThaCosmo th3j35t3r testeux1 TEST Telecomix TehWongZ Teddy Bigglesworth TeaMp0isoN TeamHav0k Team Ghost Shell Team Digi7al tdl4 taxes TARP tango down Tampa Tammy Shapiro Taiwan Tabu T0x1c t0wN T.A.R.P. Syrian Electronic Army syndiv Symantec Corporation Switzerland Swingers Club SWIFT Sweden Swan SwaggSec Swagg Security "SunGard Data Systems, Inc." Stuxnet Stringer Streamroller Stole* Sterlok SteelAnne st0rm SQLi Spyware Spying Spydevilz Spy Camera Sposed Spook Spoofing Splendide
    [Show full text]
  • Downloading and Running
    City Research Online City, University of London Institutional Repository Citation: Meng, X. (2018). An integrated networkbased mobile botnet detection system. (Unpublished Doctoral thesis, City, Universtiy of London) This is the accepted version of the paper. This version of the publication may differ from the final published version. Permanent repository link: https://openaccess.city.ac.uk/id/eprint/19840/ Link to published version: Copyright: City Research Online aims to make research outputs of City, University of London available to a wider audience. Copyright and Moral Rights remain with the author(s) and/or copyright holders. URLs from City Research Online may be freely distributed and linked to. Reuse: Copies of full items can be used for personal research or study, educational, or not-for-profit purposes without prior permission or charge. Provided that the authors, title and full bibliographic details are credited, a hyperlink and/or URL is given for the original metadata page and the content is not changed in any way. City Research Online: http://openaccess.city.ac.uk/ [email protected] AN INTEGRATED NETWORK- BASED MOBILE BOTNET DETECTION SYSTEM Xin Meng Department of Computer Science City, University of London This dissertation is submitted for the degree of Doctor of Philosophy City University London June 2017 Declaration I hereby declare that except where specific reference is made to the work of others, the contents of this dissertation are original and have not been submitted in whole or in part for consideration for any other degree or qualification in this, or any other University. This dissertation is the result of my own work and includes nothing which is the outcome of work done in collaboration, except where specifically indicated in the text.
    [Show full text]
  • SHS Branding LAUNCH
    MESSAGELABS INTELLIGENCE MESSAGELABS INTELLIGENCE FEBRUARY 2010 Spam Surges in February while Message Size Shrinks Welcome to the February edition of the MessageLabs Intelligence monthly report. This report provides the latest threat trends for February 2010 to keep you informed regarding the ongoing fight against viruses, spam and other unwelcome content. REPORT HIGHLIGHTS Spam – 89.4% in February (an increase of 5.5% since January) Viruses – One in 302.8 emails in February contained malware (an increase of 0.02% since January) Phishing – One in 456.3 emails comprised a phishing attack (an increase of 0.04% since January) Malicious websites – 4,998 websites blocked per day (an increase of 184% since January) 41.6% of all malicious domains blocked were new in February (a decrease of 0.1% since January) 13.3 of all web-based malware blocked was new in February (an increase of 1.2% since January) Grum and Rustock to Blame for February Spam Surge While Volume Grows, Spam File Size Shrinks Waledac Botnet Makes a Comeback before its Demise Olympics-Themed Targeted Malware Gumblar Update REPORT ANALYSIS Grum and Rustock to Blame for Surge in February Spam As expected this time of year, spammers launched a number of spam campaigns related to St. Valentine‟s Day, celebrated on February 14. Around this time, spammers often change their spam runs to include references to the special date. However, the 5.5% increase in spam this month cannot be completely blamed on St. Valentine‟s Day alone. Figure 1 highlights the most recent spam surges in February, and further analysis reveals the underlying cause of these increases.
    [Show full text]
  • 00079-141173.Pdf (5.08
    CHRIS JAY HOOFNAGLE Adjunct Full Professor School of Information School of Law Faculty Director Berkeley Center for Law & Technology August 22, 2017 University of California, Berkeley VIA THE WEB Berkeley, CA Tel: 5 Federal Trade Commission https://hoofnagle.berkeley.edu Office of the Secretary 600 Pennsylvania Avenue NW. Suite CC–5610 (Annex B) Washington, DC 20580 Re: Comment of Chris Hoofnagle on Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN–SPAM Rule, 16 CFR part 316, Project No. R711010) Dear Mr. Brown, Thank you for soliciting public comment on the CAN–SPAM Rule. My comments below focus on the need for the CAN–SPAM Rule, the costs that spam imposes on consumers and the economy, the prospect that technical interventions on intermediaries can be effective, that spam senders strategically use transaction costs to deter recipients from opting out, that senders impose privacy penalties on those who opt out, for the FTC to consider third-party lookups for email addresses to be an aggravated violation of CAN–SPAM, to revisit that the idea of a Do-Not-Email Registry, and finally, to keep the computer science literature on spam in focus. There is a Continuing Need for the CAN–SPAM Rule Because the Injuries Caused by Spam Are Economic and Social and Are on Par with Serious Crimes In a 2001 speech, FTC Chairman Timothy Muris identified spam messages as injurious under the Commission’s “harm-based” approach.1 Today, the majority of e-mail is spam. Senders of marketing e- mails can leverage the technical and economic properties of the internet to send tens of billions of messages a day.
    [Show full text]
  • Cyren Globalviewtm Threat Trends Q3 2016
    JANUARY 2017 CYBERTHREAT Report Botnets The Clone Armies of Cybercrime TABLE OF CONTENTS Botnets Rising ......................................................................................................................................2 Botnets 101: How A Botnet Works .........................................................................................................3 Botnet Anatomy .....................................................................................................................................4 The Growing Threat: Internet of Things Botnets ....................................................................................5 ET Phone Home: Legitimate Botnets .....................................................................................................5 Build, Buy, or Lease? The 15-Minute Botnet ..........................................................................................6 All-Purpose Networks: What Botnets Do ..............................................................................................9 The Evolution of Botnets: A Timeline ...................................................................................................11 Interview with a Botnet Hunter ............................................................................................................12 24 Hours in the Life of a Necurs Bot ....................................................................................................16 Hiding in the Shadows: How Botnets Obscure Communications ..........................................................19
    [Show full text]
  • Characterization and Modeling of Top Spam Botnets
    Network Protocols and Algorithms ISSN 1943-3581 2012, Vol. 4, No. 4 Characterization and Modeling of Top Spam Botnets Nuno Rodrigues Polytechnical Institute of Bragança/Instituto de Telecomunicações Campus Universitário de Santiago, 3810-193 Aveiro, Portugal Tel: 351-234-377-900 E-mail: [email protected] Rui Sousa University of Aveiro, DETI/Instituto de Telecomunicações Campus Universitário de Santiago, 3810-193 Aveiro, Portugal Tel: 351-234-377-900 E-mail: [email protected] Paulo Salvador University of Aveiro, DETI/Instituto de Telecomunicações Campus Universitário de Santiago, 3810-193 Aveiro, Portugal Tel: 351-234-377-900 E-mail: [email protected] António Nogueira University of Aveiro, DETI/Instituto de Telecomunicações Campus Universitário de Santiago, 3810-193 Aveiro, Portugal Tel: 351-234-377-900 E-mail: [email protected] Received: July 6, 2012 Accepted: November 17, 2012 Published: December 16, 2012 DOI: 10.5296/npa.v4i4.2058 URL: http://dx.doi.org/10.5296/ npa.v4i4.2058 1 www.macrothink.org/npa Network Protocols and Algorithms ISSN 1943-3581 2012, Vol. 4, No. 4 Abstract The increasing impact of the Internet in the global economy has transformed Botnets into one of the most relevant security threats for citizens, organizations and governments. Despite the significant efforts that have been made over the last years to understand this phenomenon and develop detection techniques and countermeasures, this continues to be a field with big challenges to address. Several approaches can be taken to study Botnets: analyze its source code, which can be a hard task because it is usually unavailable; study the control mechanism, particularly the activity of its Command and Control server(s); study its behavior, by measuring real traffic and collecting relevant statistics.
    [Show full text]
  • Doc Title Click 'Properties' to Modify
    Internet Threats Trend Report October 2012 Internet Threats Trend Report – October 2012 In This Report Android malware – compromised email accounts target mobile OS Page 2 Grum Botnet taken down – spam levels unaffected Page 4 Olympic Games – scammers exploit once-in-four-year opportunity Page 8 The same malware gang again – this time abusing Wells Fargo Page 8 Zombie hotspots – Germany moves up to 6th place Page 10 Q3 2012 Highlights 87 billion Pharmacy ads Average daily spam/phishing emails sent Most popular spam topic (31.3% of spam) Page 4 Page 7 304,000 Zombies India Daily turnover Country with the most zombies (20%) Page 4 Page 10 1.9 billion Education Average daily emails sent with attached Website category most likely to contain malware malware Page 3 Page 8 blog.commtouch.com www.commtouch.com Internet Threats Trend Report - October 2012 Overview The third quarter of 2012 provided further proof of the growing menace of Android malware with attacks that exclusively targeted the Google OS. The convincingly named “update” app requires user installation but provided its distributors with a platform for a mobile Android botnet or a vehicle for theft of corporate data. July provided yet another botnet takedown – this time the Grum spam botnet. Although spam and zombie levels appeared to drop, the effect proved to be temporary. Spammers rallied quickly to recruit new zombies and resume spam-sending operations within a matter of days. This quarter’s Trend Report also covers Olympic Games scams, careless spammers, and the “calling card” that one malware gang keeps using. Malware Trends Android malware Android malware continues to grow – both in volume and in the number of variants of Trojans and viruses.
    [Show full text]
  • Internet Security THREAT REPORT 2013 P
    2012 Trends, Volume 18, Published April 2013 INTERNET SECURITY THREAT REPORT 2013 p. 2 Symantec Corporation Internet Security Threat Report 2013 :: Volume 18 CONTENTS 03 Introduction 31 Social Networking, Mobile, and the Cloud 04 Executive Summary 32 Introduction 32 Data 06 2012 Security Timeline 35 Analysis 09 2012 in Numbers 35 Spam and Phishing Move to Social Media 37 Mobile Threats 13 Targeted Attacks, Hacktivism, and Data Breaches 38 Cloud Computing Risks 14 Introduction 14 Data 40 Malware, Spam, and Phishing 17 DDoS Used as a Diversion 41 Introduction 17 Data Breaches 42 Data 19 Analysis 42 Spam 19 Cyberwarfare, Cybersabotage, and Industrial Espionage 45 Phishing 20 Advanced Persistent Threats and Targeted Attacks 46 Malware 20 Social Engineering and Indirect Attacks 48 Website Exploits by Type of Website 21 Watering Hole Attacks 49 Analysis 49 Macs Under Attack 23 Vulnerabilities, Exploits, and Toolkits 50 Rise of Ransomware 24 Introduction 51 Long-term Stealthy Malware 24 Data 51 Email Spam Volume Down 26 Analysis 51 Advanced Phishing 26 Web-based Attacks on the Rise 27 The Arms Race to Exploit New Vulnerabilities 53 Looking ahead 27 Malvertising and Website Hacking 56 Endnotes 28 Web Attack Toolkits 57 About Symantec 29 Website Malware Scanning and Website 57 More Information Vulnerability Assessment 29 The Growth of Secured Connections 29 Norton Secured Seal and Trust Marks 29 Stolen Key-signing Certificates p. 3 Symantec Corporation Internet Security Threat Report 2013 :: Volume 18 Introduction Symantec has established some of the most In addition, Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of comprehensive sources of Internet threat more than 51,644 recorded vulnerabilities (spanning more than data in the world through the Symantec™ two decades) from over 16,687 vendors representing over 43,391 Global Intelligence Network, which is made products.
    [Show full text]
  • Internet Threats Trend Report October 2012
    Internet Threats Trend Report October 2012 Internet Threats Trend Report – October 2012 In This Report Android malware – compromised email accounts target mobile OS Page 2 Grum Botnet taken down – spam levels unaffected Page 4 Olympic Games – scammers exploit once-in-four-year opportunity Page 8 The same malware gang again – this time abusing Wells Fargo Page 8 Zombie hotspots – Germany moves up to 6th place Page 10 Q3 2012 Highlights 87 billion Pharmacy ads Average daily spam/phishing emails sent Most popular spam topic (31.3% of spam) Page 4 Page 7 304,000 Zombies India Daily turnover Country with the most zombies (20%) Page 4 Page 10 1.9 billion Education Average daily emails sent with attached Website category most likely to contain malware malware Page 3 Page 8 blog.commtouch.com www.commtouch.com Internet Threats Trend Report - October 2012 Overview The third quarter of 2012 provided further proof of the growing menace of Android malware with attacks that exclusively targeted the Google OS. The convincingly named “update” app requires user installation but provided its distributors with a platform for a mobile Android botnet or a vehicle for theft of corporate data. July provided yet another botnet takedown – this time the Grum spam botnet. Although spam and zombie levels appeared to drop, the effect proved to be temporary. Spammers rallied quickly to recruit new zombies and resume spam-sending operations within a matter of days. This quarter’s Trend Report also covers Olympic Games scams, careless spammers, and the “calling card” that one malware gang keeps using. Malware Trends Android malware Android malware continues to grow – both in volume and in the number of variants of Trojans and viruses.
    [Show full text]
  • Machine Learning-Based Botnet Detection in Software-Defined Network: a Systematic Review
    S S symmetry Article Machine Learning-Based Botnet Detection in Software-Defined Network: A Systematic Review Khlood Shinan 1,* , Khalid Alsubhi 1,† , Ahmed Alzahrani 1,† and Muhammad Usman Ashraf 2,† 1 Department of Computer Science Department, Faculty of Computing and Information Technology, King Abdulaziz University (KAU), Jeddah 21589, Saudi Arabia; [email protected] (K.A.); [email protected] (A.A.) 2 Department of Computer Science, University of Management and Technology Sialkot, Lahore 54770, Pakistan; [email protected] * Correspondence: [email protected] † These authors contributed equally to this work. Abstract: In recent decades, the internet has grown and changed the world tremendously, and this, in turn, has brought about many cyberattacks. Cybersecurity represents one of the most serious threats to society, and it costs millions of dollars each year. The most significant question remains: Where do these attacks come from? The answer is that botnets provide platforms for cyberattacks. For many organizations, a botnet-assisted attack is a terrifying threat that can cause financial losses and leave global victims in its wake. It is therefore imperative to defend organizations against botnet-assisted attacks. Software defined networking (SDN) has emerged as one of the most promising paradigms for this because it allows exponential increases in the complexity of network management and configuration. SDN has a substantial advantage over traditional approaches with regard to network management because it separates the control plane from network equipment. However, security Citation: Shinan, K.; Alsubhi, K.; challenges continue to arise, which raises the need for different types of implementation strategies to Alzahrani, A.; Ashraf, M.U.
    [Show full text]
  • Automatically Inferring the Evolution of Malicious Activity on the Internet
    Automatically Inferring the Evolution of Malicious Activity on the Internet Shobha Venkataraman David Brumley Subhabrata Sen AT&T Labs – Research Carnegie Mellon University AT&T Labs – Research [email protected] [email protected] [email protected] Oliver Spatscheck AT&T Labs – Research [email protected] Abstract ity at a particular point of time are of limited use because evil is constantly on the move. Administrators often even- Internet-based services routinely contend with a range of tually discover and clean up infected hosts, which causes malicious activity (e.g., spam, scans, botnets) that can po- attackers to target new vulnerabilities and attack new hosts tentially arise from virtually any part of the global Internet elsewhere. Indeed, operators care far more about the evolu- infrastructure and that can shift longitudinally over time. In tion of malicious activity than static snapshots, as the evo- this paper, we develop the first algorithmic techniques to au- lution provides warning signs of emerging threats from re- tomatically infer regions of the Internet with shifting secu- gions previously-considered benign. rity characteristics in an online fashion. Conceptually, our However, there has been little work on developing al- key idea is to model the malicious activity on the Internet as gorithms that can automatically infer how aggregations of a decision tree over the IP address space, and identify the malicious IPs evolve over time. Previous work has either dynamics of the malicious activity by inferring the dynamics
    [Show full text]