Spamalytics: An Empirical Analysis of Spam Marketing Conversion

Slides:

Advertisements

Similar presentations

Basic Communication on the Internet:

Advertisements

Click Trajectories: End-to-End Analysis of the Spam Value Chain Author : Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, Brandon Enright, M’ark F’elegyh’azi,

Topics in Security IS&T All Staff Meeting Tuesday, April 7, 2011 Brian Allen, CISSP Network Security Analyst, Washington University.

Your tool to help you build a list of Subscribers.

Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.

 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Chapter 30 Electronic Mail Representation & Transfer

Spam Sonia Jahid University of Illinois Fall 2007.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

Botnets An Introduction Into the World of Botnets Tyler Hudak

1 Spam: Why? Chris Kanich Christian Kreibich Kirill Levchenko Brandon Enright Vern Paxson Geoffrey M. Voelker Stefan Savage +=

Monetizing Attacks / The Underground Economy original slides by Prof. Vern Paxson University of California, Berkeley.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Data Communications and Computer Networks Chapter 2 CS 3830 Lecture 9

Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.

1. 2 Windows Live Hotmail  offers access via special Outlook Connector software o provides a two-way sync for  mail  calendar  contacts o access.

1 ITGS - introduction A computer may have: a direct connection to a net (cable); or remote access (modem). Connect network to other network through: cables.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Click Trajectories: End-to-End Analysis of the spam value chain Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, Brandon Enright, Tristan Halvorson,

Botnets: Yesterday, Today, and Tomorrow CS 598: Advanced Internet Presented by: Imranul Hoque.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

2010/6/7 Spamalytics An Empirical Analysis of Spam Marketing Conversion Author: Chris Kanich Christian Kreibich Kirill Levchenko Brandon Enright Geoffrey.

The Internet 8th Edition Tutorial 2 Basic Communication on the Internet: .

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

1 Characterizing Botnet from Spam Records Presenter: Yi-Ren Yeh ( 葉倚任 ) Authors: L. Zhuang, J. Dunagan, D. R. Simon, H. J. Wang, I. Osipkov, G. Hulten,

Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.

BOTNET JUDO Fighting Spam with Itself By: Pitsillidis, Levchenko, Kreibich, Kanich, Voelker, Paxson, Weaver, and Savage Presentation by: Heath Carroll.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

1 Chinese . 2 Introduction  Support SMTP/POP3/IMAP4  On Unix platform  Provide Webmail –Functions: On line registration On line sending and receiving.

Application Layer Khondaker Abdullah-Al-Mamun Lecturer, CSE Instructor, CNAP AUST.

CAN SPAM and Your Marketing Best Practices for Senders By Lars Helgeson Cooler .

Spamscatter: Characterizing Internet Scam Hosting Infrastructure By D. Anderson, C. Fleizach, S. Savage, and G. Voelker Presented by Mishari Almishari.

11 Spamcraft: An Inside Look At Spam Campaign Orchestration Reporter: 林佳宜 Advisor: Chun-Ying Huang /6/3.

Studying Spamming Botnets Using Botlab 台灣科技大學資工所楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.

Lecture 6: Sun: 8/5/1435 Distributed Applications Lecturer/ Kawther Abas CS- 492 : Distributed system & Parallel Processing.

Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten, and Ivan Osipkov. SIGCOMM, Presented.

Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:

Walowdac:Analysis of a Peer-to-Peer Botnet 林佳宜 NTOU CSIE 11/19/

Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Botnet Judo: Fighting Spam with Itself.

Studying Spamming Botnets Using Botlab

The Koobface Botnet and the Rise of Social Malware Kurt Thomas David M. Nicol

Malicious Software.

SMTP - Simple Mail Transfer Protocol RFC 821

Chapter 16: Distributed Applications Business Data Communications, 4e.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

Understanding Spam Economics Chris Kanich Computer Science & Engineering UC San Diego +=

Spam liquidator What is SL ??? Definition : It is a tool to block the junk mail !

Customer Profile: If you have tech savvy customers, having your site secured for mobile users is recommended. Business Needs: With the growing number.

Networking Applications

Remote Logging, Electronic Mail, and File Transfer

A lustrum of malware network communication: Evolution & insights

VIRUS HOAX + BOTS. VIRUS HOAX + BOTS Group Members Aneeqa Ikram Fatima Ishaque Tufail Rana Anwar Amjad.

Data Communications and Computer Networks Chapter 2 CS 3830 Lecture 9

De-anonymizing the Internet Using Unreliable IDs

Click Trajectories: End to End Analysis of the Spam Value Chain

BOTNET JUDO : Fighting Spam with Itself

Overview What is Spoofing Types of Spoofing

Internet Worm propagation

The Interlink Express one hour delivery window

9 ways to avoid viruses and spyware

William Stallings Data and Computer Communications

Monetizing Attacks / The Underground Economy

An overview over Botnets

Presentation transcript:

Spamalytics: An Empirical Analysis of Spam Marketing Conversion Christian Kreibich christian@icir.org Chris Kanich Kirill Levchenko Brandon Enright Geoff Voelker Vern Paxson Stefan Savage

Motivation

n Bot·net Botnet is a jargon term for a collection of software robots, or bots, that run autonomously and automatically. The term is often associated with malicious software but it can also refer to the network of computers using distributed computing software. While botnets are often named after their malicious software name, there are typically multiple botnets in operation using the same malicious software families, but operated by different criminal entities. --Wikipedia

n Bot·net Botmaster Proxy Worker

n Bot·net

n Bot·net

Spam = $, $$, $$$ ? Seems profitable for senders Three main cost factors: Retail cost to send So far, complete lack of methodology to back up conversion rate estimates Crucial step: infiltration * conversion rate * sale profit

n Bot·net : network ... Botmaster Proxy Worker

n Bot·net : ... infiltration! Botmaster US! US! Proxy Worker

Infiltrating Storm

The Storm botnet Reachability check Overnet (UDP)

The Storm botnet Botmaster HTTP proxies Proxy bots Workers Proxy bots Hosted infrastructure TCP Infected machines

Campaign mechanics Botmaster HTTP proxies HTTP Workers Proxy bots TCP

Campaign mechanics: harvest Botmaster @ HTTP proxies HTTP Workers Proxy bots TCP

Campaign mechanics: updates Botmaster HTTP proxies HTTP Workers Proxy bots TCP

Campaign mechanics: spamming Botmaster HTTP proxies HTTP Workers Proxy bots TCP

Campaign mechanics: reporting Botmaster HTTP proxies HTTP Workers Proxy bots TCP

Mission: Spam Conversion Infiltrate Storm at proxy level rewrite spam instructions to use our own URLs ... where we run our own websites and observe activity at each stage. We get rates for SMTP delivery, spam filtering, click- through, and final conversion We did this to ~470M emails generated by the Storm botnet, over a period of a month

Infiltration HTTP proxies Botmaster Workers Proxy bots C&C Rewriter

Infiltration setup Barracuda Mail Webmail Spam Users Target Webservers

Rewriting spam: input Template Dictionary 4~!1205182986~!Received: (qmail %^R2000-30000^% invoked from network) ... Received: from unknown (HELO %^C0%^P%^R3-6^%:qwertyuiopasdfghjklzxcvbn... by %^A^% with SMTP; %^D^%^M Message-ID: <%^Z^%.%^R1-9^%0%^R0-9^%0%^R0-9^%0%^R0-9^%@%^C1%^Fdomains^... Date: %^D^%^M From: <%^Fnames^%@%^V1^%>^M User-Agent: Thunderbird %^Ftrunver^%^M MIME-Version: 1.0^M To: %^0^%^M Subject: %^Fpharma^%^M Content-Type: text/plain; charset=ISO-8859-1; format=flowed^M Content-Transfer-Encoding: 7bit^M ^M %^G%^Fpharma^% http://%^Fpharma_links^%^%^M ~!pharma_links~!1200488402~!drawdecide.com speeddegree.com speakgas.com imagineoh.com occurcome.com

Rewriting spam: output Template Dictionary 4~!1205182986~!Received: (qmail %^R2000-30000^% invoked from network) ... Received: from unknown (HELO %^C0%^P%^R3-6^%:qwertyuiopasdfghjklzxcvbn... by %^A^% with SMTP; %^D^%^M Message-ID: <%^Z^%.%^R1-9^%0%^R0-9^%0%^R0-9^%0%^R0-9^%@%^C1%^Fdomains^... Date: %^D^%^M From: <%^Fnames^%@%^V1^%>^M User-Agent: Thunderbird %^Ftrunver^%^M MIME-Version: 1.0^M To: %^0^%^M Subject: %^Fpharma^%^M Content-Type: text/plain; charset=ISO-8859-1; format=flowed^M Content-Transfer-Encoding: 7bit^M ^M %^G%^Fpharma^% http://%^Fpharma_links^%/?prod=%^E^%^%^M ~!pharma_links~!1200488402~!murmuraverse.com

Rewriting spam: result Sample spam instance Received: (qmail 3871 invoked from network); Tue, 15 Jan 2008 08:26:26 Received: from unknown (HELO gug) (211.219.143.28) by ukdewkg with SMTP; Tue, 15 Jan 2008 08:26:26 -0800 Message-ID: <478CDEB2.4000300@ot2sen.dk> Date: Tue, 15 Jan 2008 08:26:26 -0800 From: <slbc@ot2sen.dk> User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: davidtyler@aureate.com Subject: Results proved by thousands of men! Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Trustworthy way to fight failures! http://murmuraverse.com/prod=gdylgwbohuCdxuhdwh1frp

Fake pharma & greeting card sites Focus on two top Storm campaigns: pharmaceuticals and self-propagation We ran fake, harmless websites looking like the real ones Conversion signals For pharma, a click on “purchase” button For self-prop, execution of our own binary that phones home on HTTP and exits

Fake pharma & greeting card sites

Fake pharma & greeting card sites

Results

Campaign volumes

Rewritten spams per hour

Spam delivery: top domains

Conversion rates 1 in 12.5M 1 in 265K 1 in 178K 1 in 10

Spam delivery: filter effectiveness Percentage relative to injections Average: 0.014% 1 in 7,142 attempted spams got through

Hypothetical conversion estimate for delivered spam Assuming the webmail filtering generalizes: 1 in 1,737 48,662 0.014% 1 in 37 11,711 0.014% 1 in 25 5,618 0.014%

Conversions, geographically 541 binary executions, 28 purchases

Conversions, by country

Time-to-click distribution

Pharmaceutical revenues 28 purchases in 26 days, average price ~$100 Total: $2,731.88, $140/day But: we interposed only on ~1.5% of workers! $9500/day (and 8500 bots per day) $3.5M/year Storm: service provider or integrated operation? Retail price of spam ~$80 per million Suggests integrated operation to be profitable In fact: 40% cut for Storm operators via Glavmed

Mission accomplished

Mission accomplished We introduced conversion rate measurement through botnet infiltration Conducted on the Storm botnet, 1 month, ~470M spam messages Conversion rates: 1-in-12M for pharmaceuticals 1-in-200K for voluntary executions 1-in-10 for website visitors Small data point -- beware of generalization

Address-based blacklisting

Proxy workloads over time

Campaign mechanics: updates Three parts of an update message: templates dictionaries email address target lists All parts optional Multiple target lists & templates via slots essentially a local per-campaign index number

Campaign mechanics: templates Templates are instantiated via macros Macro syntax: %^ <macro name> [<arg1> [, <arg2>...] ] ^% Pick random value from “domains” dictionary: %^Fdomains^% Random character string of 2-6 characters: %^P%^R2-6^%:qwertyuiopasdfghjklzxcvbnm^% 14 different macros seen live 10 additional ones identified by experimentation

Campaign mechanics: templates Instantiation example: