DOCSLIB.ORG

Studying Spamming Botnets Using Botlab John P

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Studying Spamming Botnets Using Botlab John P Studying Spamming Botnets Using Botlab John P. John Alexander Moshchuk Steven D. Gribble Arvind Krishnamurthy Department of Computer Science & Engineering University of Washington Abstract erate. Passive honeynets [13, 27, 41] are becoming less applicable to this problem over time, as botnets are in- In this paper we present Botlab, a platform that con- creasingly propagating via social engineering and web- tinually monitors and analyzes the behavior of spam- based drive-by download attacks that honeynets will not oriented botnets. Botlab gathers multiple real-time observe. Overall, there is still opportunity to design de- streams of information about botnets taken from distinct fensive tools to filter botnet spam, identify and block perspectives. By combining and analyzing these streams, botnet-hosted malicious sites, and pinpoint which hosts Botlab can produce accurate, timely, and comprehensive are currently participating in a spamming botnet. data about spam botnet behavior. Our prototype system In this paper we turn the tables on spam botnets by us- integrates information about spam arriving at the Univer- ing the vast quantities of spam that they generate to mon- sity of Washington, outgoing spam generated by captive itor and analyze their behavior. To do this, we designed botnet nodes, and information gleaned from DNS about and implemented Botlab, a continuously operating bot- URLs found within these spam messages. net monitoring platform that provides real-time informa- We describe the design and implementation of Botlab, tion regarding botnet activity. Botlab consumes a feed of including the challenges we had to overcome, such as all incoming spam arriving at the University of Washing- preventing captive nodes from causing harm or thwart- ton, allowing it to find fresh botnet binaries propagated ing virtual machine detection. Next, we present the re- through spam links. It then executes multiple captive, sults of a detailed measurement study of the behavior of sandboxed nodes from various botnets, allowing it to ob- the most active spam botnets. We find that six botnets serve the precise outgoing spam feeds from these nodes. are responsible for 79% of spam messages arriving at the It scours the spam feeds for URLs, gathers information UW campus. Finally, we present defensive tools that take on scams, and identifies exploit links. Finally, it corre- advantage of the Botlab platform to improve spam filter- lates the incoming and outgoing spam feeds to identify ing and protect users from harmful web sites advertised the most active botnets and the set of compromised hosts within botnet-generated spam. comprising each botnet. 1 Introduction A key insight behind Botlab is that the combination of both incoming and outgoing spam sources is essential for Spamming botnets are a blight on the Internet. By some enabling a comprehensive, accurate, and timely analysis estimates, they transmit approximately 85% of the 100+ of botnet behavior. Incoming spam bootstraps the pro- billion spam messages sent per day [14, 21]. Botnet- cess of identifying spamming bots, outgoing spam en- generated spam is a nuisance to users, but worse, it can ables us to track the ebbs and flows of botnets’ ongoing cause significant harm when used to propagate phishing spam campaigns and establish the ground truth regard- campaigns that steal identities, or to distribute malware ing spam templates, and correlation of the two feeds can to compromise more hosts. classify incoming spam according to botnet that is sourc- These concerns have prompted academia and industry ing it, determine the number of hosts active within each to analyze spam and spamming botnets. Previous stud- botnet, and identify many of these botnet-infected hosts. ies have examined spam received by sinkholes and pop- ular web-based mail services to derive spam signatures, 1.1 Contributions determine properties of spam campaigns, and character- ize scam hosting infrastructure [1, 39, 40]. This analysis Our work offers four novel contributions. First, we tackle of “incoming” spam feeds provides valuable information many of the challenges involved in building a real-time on aggregate botnet behavior, but it does not separate ac- botnet monitoring platform, including identifying and tivities of individual botnets or provide information on incorporating new bot variants, and preventing Botlab the spammers’ latest techniques. Other efforts reverse hosts from being blacklisted by botnet operators. engineered and infiltrated individual spamming botnets, Second, we have designed network sandboxing mech- including Storm [20] and Rustock [5]. However, these anisms that prevent captive bot nodes from causing harm, techniques are specific to these botnets and their com- while still enabling our research to be effective. As well, munication methods, and their analysis only considers we discuss the long-term tension between effectiveness characteristics of the “outgoing” spam these botnets gen- and safety in botnet research given botnets’ trends, and we present thought experiments that suggest that a de- Propagation: Malware authors are increasingly relying termined adversary could make it extremely difficult to on social engineering to find and compromise victims, conduct future botnet research in a safe manner. such as by spamming users with personal greeting card Third, we present interesting behavioral character- ads or false upgrade notices that entice them to install istics of spamming botnets derived from our multi- malware. As propagation techniques move up the proto- perspective analysis. For example, we show that just col stacks, the weakest link in the botnet defense chain a handful of botnets are responsible for most spam re- becomes the human user. As well, systems such as pas- ceived by UW, and attribute incoming spam to specific sive honeynets become less effective at detecting new botnets. As well, we show that the bots we analyze use botnet software, instead requiring active steps to gather simple methods for locating their command and control and classify potential malware. (C&C) servers; if these servers were efficiently located Customized C&C protocols: While many of the older and shut down, much of today’s spam flow would be dis- botnet designs used IRC to communicate with C&C rupted. As another example, in contrast to earlier find- servers, newer botnets use encrypted and customized ings [40], we observe that some spam campaigns utilize protocols for disseminating commands and directing multiple botnets. bots [7, 9, 33, 36]. For example, some botnets communi- Fourth, we have implemented several prototype de- cate via HTTP requests and responses carrying encrypted fensive tools that take advantage of the real-time in- C&C data. Manual reverse-engineering of bot behavior formation provided by the Botlab platform. We have has thus become time-consuming if not impossible. constructed a Firefox plugin that protects users from scam and phishing web sites propagated by spam bot- Rapid evolution: To evade detection from trackers nets. The plug-in blocked 40,270 malicious links em- and anti-malware software, some newer botnets morph anating from one botnet monitored by Botlab; in con- rapidly. For instance, most malware binaries are often trast, two blacklist-based defenses failed to detect any of packed using polymorphic packers that generate differ- these links. As well, we have designed and implemented ent looking binaries even though the underlying code a Thunderbird plugin that filters botnet-generated spam. base has not changed [29]. Also, botnet operators are For one user, the plugin reduced the amount of spam that moving away from relying on a single web server to host bypassed his SpamAssassin filters by 76%. their scams, and instead are using fast flux DNS [12]. The rest of this paper is organized as follows. Sec- In this scheme, attackers rapidly rebind the server DNS tion 2 provides background material on the botnet threat. name to different botnet IP addresses, in order to defend Section 3 discusses the design and implementation of against IP blacklisting or manual server take-down. Fi- Botlab. We evaluate Botlab in Section 4 and describe ap- nally, botnets also make updates to their C&C protocols, plications we have built using it in Section 5. We discuss by incorporating new forms of encryption and command our thoughts on the long-term viability of safe botnet re- distribution. search in Section 6. We present related work in Section 7 Moving forward, analysis and defense systems must and conclude in Section 8. contend with the increasing sophistication of botnets. 2 Background on the Botnet Threat Monitoring systems must be pro-active in collecting and executing botnet samples, as botnets and their behavior A botnet is a large-scale, coordinated network of comput- change rapidly. As well, botnet analysis systems will in- ers, each of which executes specific bot software. Botnet creasingly have to rely on external observations of botnet operators recruit new nodes by commandeering victim behavior, rather than necessarily being able to crack and hosts and surreptitiously installing bot code onto them; reverse engineer botnet control traffic. the resulting army of “zombie” computers is typically controlled by one or more command-and-control (C&C) 3 The Botlab Monitoring Platform servers. Botnet operators employ their botnets to send The Botlab platform produces fresh information about spam, scan for new victims, steal confidential informa- spam-oriented botnets, including their current cam-
Load more

Recommended publications
  • Spamalytics: an Empirical Analysis of Spam Marketing Conversion
    Spamalytics: An Empirical Analysis of Spam Marketing Conversion Chris Kanich∗ Christian Kreibich† Kirill Levchenko∗ Brandon Enright∗ Geoffrey M. Voelker∗ Vern Paxson† Stefan Savage∗ † ∗ International Computer Science Institute Dept. of Computer Science and Engineering Berkeley, USA University of California, San Diego, USA [email protected],[email protected] {ckanich,klevchen,voelker,savage}@cs.ucsd.edu [email protected] ABSTRACT Unraveling such questions is essential for understanding the eco- The “conversion rate” of spam — the probability that an unso- nomic support for spam and hence where any structural weaknesses licited e-mail will ultimately elicit a “sale” — underlies the entire may lie. Unfortunately, spammers do not file quarterly financial spam value proposition. However, our understanding of this critical reports, and the underground nature of their activities makes third- behavior is quite limited, and the literature lacks any quantitative party data gathering a challenge at best. Absent an empirical foun- study concerning its true value. In this paper we present a method- dation, defenders are often left to speculate as to how successful ology for measuring the conversion rate of spam. Using a parasitic spam campaigns are and to what degree they are profitable. For ex- infiltration of an existing botnet’s infrastructure, we analyze two ample, IBM’s Joshua Corman was widely quoted as claiming that spam campaigns: one designed to propagate a malware Trojan, the spam sent by the Storm worm alone was generating “millions and other marketing on-line pharmaceuticals. For nearly a half billion millions of dollars every day” [2]. While this claim could in fact be spam e-mails we identify the number that are successfully deliv- true, we are unaware of any public data or methodology capable of ered, the number that pass through popular anti-spam filters, the confirming or refuting it.
    [Show full text]
  • The Botnet Chronicles a Journey to Infamy
    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
    [Show full text]
  • Address Munging: the Practice of Disguising, Or Munging, an E-Mail Address to Prevent It Being Automatically Collected and Used
    Address Munging: the practice of disguising, or munging, an e-mail address to prevent it being automatically collected and used as a target for people and organizations that send unsolicited bulk e-mail address. Adware: or advertising-supported software is any software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used. Some types of adware are also spyware and can be classified as privacy-invasive software. Adware is software designed to force pre-chosen ads to display on your system. Some adware is designed to be malicious and will pop up ads with such speed and frequency that they seem to be taking over everything, slowing down your system and tying up all of your system resources. When adware is coupled with spyware, it can be a frustrating ride, to say the least. Backdoor: in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice), or could be a modification to an existing program or hardware device. A back door is a point of entry that circumvents normal security and can be used by a cracker to access a network or computer system. Usually back doors are created by system developers as shortcuts to speed access through security during the development stage and then are overlooked and never properly removed during final implementation.
    [Show full text]
  • Compu Talk Vol
    Sri Sathya Sai College for Women, Bhopal 2017 A newsletter from the Dept. of Computer Sci. & Appl. Compu Talk Vol. III Cyber Security job oppurtunities Botnet Department of Computer Computer Network Science and Application Firewall Departmental News Now Trending: including smartphones, televisions and tiny devices and integration of these as part of the Job Opportunities under the Cyber Internet of Things. Boom in cyber threats has Security Umbrella been an integral part of boom in information technology . Cyber security also known in simpler terms as computer security or IT security involves the Typical cyber security job titles and protection of computer systems from theft, descriptions may include the following: damage or destruction of 1. Security Analyst their hardware, software, data and information, as well from disruption, misuse or A Security Analyst analyzes and assesses misdirection of the services provided through vulnerabilities in the infrastructure which them to cause damage to the fellow humans or includes software, hardware and the society. associated networks. He/she performs The role of cyber security involves investigation using available tools, suggests controlling or limiting physical access to the counter-measures to remedy the detected hardware, as well as protecting them against any vulnerabilities, and recommends solutions harm or attack that may come via network and best practices. He/she analyzes and access intrusion, data insertion and code assesses the damage done to the injection and remote control. IT security is data/infrastructure as a result of security susceptible to being tricked into deviating from incidents, examines available recovery tools secure procedures through various methods. and processes, and recommends solutions.
    [Show full text]
  • Antivirus Software Before It Can Detect Them
    Computer virus A computer virus is a computer program that can copy itself and infect a computer without the permission or knowledge of the owner. The term "virus" is also commonly but erroneously used to refer to other types of malware, adware, and spyware programs that do not have the reproductive ability. A true virus can only spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer.[1][2] The term "computer virus" is sometimes used as a catch-all phrase to include all types of malware. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware, and other malicious and unwanted software), including true viruses. Viruses are sometimes confused with computer worms and Trojan horses, which are technically different. A worm can exploit security vulnerabilities to spread itself to other computers without needing to be transferred as part of a host, and a Trojan horse is a program that appears harmless but has a hidden agenda. Worms and Trojans, like viruses, may cause harm to either a computer system's hosted data, functional performance, or networking throughput, when they are executed. Some viruses and other malware have symptoms noticeable to the computer user, but many are surreptitious.
    [Show full text]
  • Downloading and Running
    City Research Online City, University of London Institutional Repository Citation: Meng, X. (2018). An integrated networkbased mobile botnet detection system. (Unpublished Doctoral thesis, City, Universtiy of London) This is the accepted version of the paper. This version of the publication may differ from the final published version. Permanent repository link: https://openaccess.city.ac.uk/id/eprint/19840/ Link to published version: Copyright: City Research Online aims to make research outputs of City, University of London available to a wider audience. Copyright and Moral Rights remain with the author(s) and/or copyright holders. URLs from City Research Online may be freely distributed and linked to. Reuse: Copies of full items can be used for personal research or study, educational, or not-for-profit purposes without prior permission or charge. Provided that the authors, title and full bibliographic details are credited, a hyperlink and/or URL is given for the original metadata page and the content is not changed in any way. City Research Online: http://openaccess.city.ac.uk/ [email protected] AN INTEGRATED NETWORK- BASED MOBILE BOTNET DETECTION SYSTEM Xin Meng Department of Computer Science City, University of London This dissertation is submitted for the degree of Doctor of Philosophy City University London June 2017 Declaration I hereby declare that except where specific reference is made to the work of others, the contents of this dissertation are original and have not been submitted in whole or in part for consideration for any other degree or qualification in this, or any other University. This dissertation is the result of my own work and includes nothing which is the outcome of work done in collaboration, except where specifically indicated in the text.
    [Show full text]
  • Coordinating Across Chaos: the Practice of Transnational Internet Security Collaboration
    COORDINATING ACROSS CHAOS: THE PRACTICE OF TRANSNATIONAL INTERNET SECURITY COLLABORATION A Dissertation Presented to The Academic Faculty by Tarun Chaudhary In Partial Fulfillment of the Requirements for the Degree International Affairs, Science, and Technology in the Sam Nunn School of International Affairs Georgia Institute of Technology May 2019 COPYRIGHT © 2019 BY TARUN CHAUDHARY COORDINATING ACROSS CHAOS: THE PRACTICE OF TRANSNATIONAL INTERNET SECURITY COLLABORATION Approved by: Dr. Adam N. Stulberg Dr. Peter K. Brecke School of International Affairs School of International Affairs Georgia Institute of Technology Georgia Institute of Technology Dr. Michael D. Salomone Dr. Milton L. Mueller School of International Affairs School of Public Policy Georgia Institute of Technology Georgia Institute of Technology Dr. Jennifer Jordan School of International Affairs Georgia Institute of Technology Date Approved: March 11, 2019 ACKNOWLEDGEMENTS I was once told that writing a dissertation is lonely experience. This is only partially true. The experience of researching and writing this work has been supported and encouraged by a small army of individuals I am forever grateful toward. My wife Jamie, who has been a truly patient soul and encouraging beyond measure while also being my intellectual sounding board always helping guide me to deeper insight. I have benefited from an abundance of truly wonderful teachers over the course of my academic life. Dr. Michael Salomone who steered me toward the world of international security studies since I was an undergraduate, I am thankful for his wisdom and the tremendous amount of support he has given me over the past two decades. The rest of my committee has been equally as encouraging and provided me with countless insights as this work has been gestating and evolving.
    [Show full text]
  • Cyberpro December 4, 2008
    Volume 1, Edition 15 CyberPro December 4, 2008 Keeping Cyberspace Professionals Informed Officers The articles and information appearing herein are intended for President educational purposes to promote discussion in the public interest and to Larry K. McKee, Jr. keep subscribers who are involved in the development of Cyber-related concepts and initiatives informed on items of common interest. The Senior Analyst newsletter and the information contained therein are not intended to Jim Ed Crouch provide a competitive advantage for any commercial firm. Any ------------------------------ misuse or unauthorized use of the newsletter and its contents will result CyberPro Research in removal from the distribution list and/or possible administrative, civil, Analyst and/or criminal action. Kathryn Stephens The views, opinions, and/or findings and recommendations contained in this summary are those of the authors and should not be construed as an official position, policy, or decision of the United States Government, CyberPro Archive U.S. Department of Defense, or National Security Cyberspace Institute. To subscribe or unsubscribe to this newsletter click here CyberPro News Subscription. Please contact Larry McKee , ph. (757) 871-3578, regarding CyberPro subscription, sponsorship, and/or advertisement. All rights reserved. CyberPro may not be published, broadcast, rewritten or redistributed without prior NSCI consent. 110 Royal Aberdeen Smithfield, VA 23430 ph. (757) 871 - 3578 CyberPro National Security Cyberspace Institute P a g e | 1 Volume
    [Show full text]
  • Detection of Distributed Denial-Of-Service Attacks in Encrypted Network Traffic
    Mikko Hyvärinen Detection of Distributed Denial-of-Service Attacks in Encrypted Network Traffic Master’s Thesis in Information Technology December 9, 2016 University of Jyväskylä Department of Mathematical Information Technology Author: Mikko Hyvärinen Contact information: [email protected] Supervisor: Timo Hämäläinen & Mikhail Zolotukhin Title: Detection of Distributed Denial-of-Service Attacks in Encrypted Network Traffic Työn nimi: Hajautettujen palvelunestohyökkäysten havainnointi salatussa verkkoliiken- teessä Project: Master’s Thesis Study line: Software Development Page count: 122+9 Abstract: Context: Distributed denial-of-service attacks have existed for two decades. Var- ious strategies have been developed to combat the increasing volume of attacks over the years. Application layer attacks are becoming more common, and they are harder to detect. Current detection methods analyze traffic features. The packet payload is encrypted in an SSL/TLS traffic, and it cannot be analyzed. Objective: The thesis studies the current situa- tion of detection of DDoS attacks in an SSL/TLS encrypted traffic. Also, the thesis presents a K-means++ clustering-based detection method and comparable simulation results with the previous literature. Methods: The author conducted a light systematic mapping study by searching common computer science literature libraries. The author ran experiments with the clustering-based method in a virtual network. Results: The mapping study found that the detection methods concentrate on clustering and statistical anomaly detection methods. In the experiments, denial-of-service attack simulations revealed that the K-means++ clus- tering detects trivial DDoS attacks with near 100% accuracy. Datasets were found to be an important part when comparing results. Conclusion: The mapping study revealed encrypted denial-of-service research study areas where more research is needed when compared to the non-encrypted counterpart.
    [Show full text]
  • Who Wrote Sobig? Copyright 2003-2004 Authors Page 1 of 48
    Who Wrote Sobig? Copyright 2003-2004 Authors Page 1 of 48 Who Wrote Sobig? Version 1.0: 19-August-2003. Version 1.1: 25-August-2003. Version 1.2: 19-November-2003. Version 1.3: 17-July-2004. This sanitized variation for public release. Scheduled for release: 1-November-2004. This document is Copyright 2003-2004 by the authors. The PGP key included within this document identifies the authors. Who Wrote Sobig? Copyright 2003-2004 Authors Page 2 of 48 Table of Contents Table of Contents................................................................................................................................................... 2 1 About This Document..................................................................................................................................... 3 2 Overview........................................................................................................................................................ 5 3 Spam and Virus Release History..................................................................................................................... 6 3.1 Identifying Tools .................................................................................................................................... 6 3.2 Identifying Individuals and Specific Groups ............................................................................................ 6 3.3 Identifying Open Proxies and Usage........................................................................................................ 8 3.4
    [Show full text]
  • Image Spam Detection: Problem and Existing Solution
    International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 06 Issue: 02 | Feb 2019 www.irjet.net p-ISSN: 2395-0072 Image Spam Detection: Problem and Existing Solution Anis Ismail1, Shadi Khawandi2, Firas Abdallah3 1,2,3Faculty of Technology, Lebanese University, Lebanon ----------------------------------------------------------------------***--------------------------------------------------------------------- Abstract - Today very important means of communication messaging spam, Internet forum spam, junk fax is the e-mail that allows people all over the world to transmissions, and file sharing network spam [1]. People communicate, share data, and perform business. Yet there is who create electronic spam are called spammers [2]. nothing worse than an inbox full of spam; i.e., information The generally accepted version for source of spam is that it crafted to be delivered to a large number of recipients against their wishes. In this paper, we present a numerous anti-spam comes from the Monty Python song, "Spam spam spam spam, methods and solutions that have been proposed and deployed, spam spam spam spam, lovely spam, wonderful spam…" Like but they are not effective because most mail servers rely on the song, spam is an endless repetition of worthless text. blacklists and rules engine leaving a big part on the user to Another thought maintains that it comes from the computer identify the spam, while others rely on filters that might carry group lab at the University of Southern California who gave high false positive rate. it the name because it has many of the same characteristics as the lunchmeat Spam that is nobody wants it or ever asks Key Words: E-mail, Spam, anti-spam, mail server, filter.
    [Show full text]
  • S Ym a Nte C Enterpris E S E CU Rit Y Symantec Global Internet Security
    ublished April 2009 P V, V, I rends for 2008 Volume X Volume Symantec Symantec Global Internet Security Threat Report T SYMANTEC ENTERPRISE SECURITY Marc Fossi Executive Editor Manager, Development Security Technology and Response Eric Johnson Editor Security Technology and Response Trevor Mack Associate Editor Security Technology and Response Dean Turner Director, Global Intelligence Network Security Technology and Response Joseph Blackbird Threat Analyst Symantec Security Response Mo King Low Threat Analyst Security Technology and Response Teo Adams Threat Analyst Security Technology and Response David McKinney Threat Analyst Security Technology and Response Stephen Entwisle Threat Analyst Security Technology and Response Marika Pauls Laucht Threat Analyst Security Technology and Response Candid Wueest Threat Analyst Security Technology and Response Paul Wood Senior Analyst MessageLabs Intelligence, Symantec Dan Bleaken Threat Analyst MessageLabs Intelligence, Symantec Greg Ahmad Threat Analyst Security Technology and Response Darren Kemp Threat Analyst Security Technology and Response Ashif Samnani Threat Analyst Security Technology and Response Volume XIV, Published April 2009 Symantec Global Internet Security Threat Report Contents Introduction ...............................................................................4 Executive Summary . 5 Highlights ............................................................................... 13 Threat Activity Trends . 17 Vulnerability Trends .....................................................................
    [Show full text]