By Areej Al-Bataineh University of Texas at San Antonio MIT Spam Conference 2009.

Slides:

Advertisements

Similar presentations

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

Advertisements

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Threat infrastructure: proxies, botnets, fast-flux

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Spam Sonia Jahid University of Illinois Fall 2007.

An Effective Defense Against Spam Laundering Paper by: Mengjun Xie, Heng Yin, Haining Wang Presented at:CCS'06 Presentation by: Devendra Salvi.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

By Michael P. Kassner Latest reports have spam accounting for over 95 percent of all messages. You can thank botnets for most of that. Here’s what.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Botnets An Introduction Into the World of Botnets Tyler Hudak

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Phishing and Intrusion Prevention Tod Beardsley, TippingPoint (a division of 3Com), 02/15/06 – IMP-201.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.

Wireless and Security CSCI 5857: Encoding and Encryption.

Chapter 6: Packet Filtering

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Client X CronLab Spam Filter Technical Training Presentation 19/09/2015.

Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.

CH2 System models.

Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.

Access Control List (ACL)

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

1 Honeypot, Botnet, Security Measurement, Spam Cliff C. Zou CDA /01/07.

Studying Spamming Botnets Using Botlab 台灣科技大學資工所楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.

Silicon & Software Systems (S3)‏ Copyright © Silicon & Software Systems Limited Antispam protection IT Department 20/03/2008 Ondrej Valousek.

Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:

1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

Presented by Rebecca Meinhold But How Does the Internet Work?

Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.

Detecting Phishing in s Srikanth Palla Ram Dantu University of North Texas, Denton.

Return to the PC Security web page Lesson 6: Improving Security.

Studying Spamming Botnets Using Botlab

SMTP Tapu Ahmed Jeremy Nunn. Basics Responsible for electronic mail delivery. Responsible for electronic mail delivery. Simple ASCII protocol that runs.

An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.

Role Of Network IDS in Network Perimeter Defense.

Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

Introduction Web analysis includes the study of users’ behavior on the web Traffic analysis – Usage analysis Behavior at particular website or across.

TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).

Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Fighting Spam in an Exchange Environment Tzahi Kolber IT Supervisor - Polycom Israel.

Application Layer instructors at St. Clair College in Windsor, Ontario for their slides. Special thanks to instructors at St. Clair College in Windsor,

An Effective Defense Against Spam Laundering Author: Mengjun Xie, Heng Yin, Haining Wang Presented At: CCS’ 06 Prepared By: Amit Shrivastava.

Defining Network Infrastructure and Network Security Lesson 8.

TMG Client Protection 6NPS – Session 7.

Vocabulary Prototype: A preliminary sketch of an idea or model for something new. It’s the original drawing from which something real might be built or.

Vocabulary Prototype: A preliminary sketch of an idea or model for something new. It’s the original drawing from which something real might be built or.

Working at a Small-to-Medium Business or ISP – Chapter 7

Working at a Small-to-Medium Business or ISP – Chapter 7

Working at a Small-to-Medium Business or ISP – Chapter 7

Chapter 7 Network Applications

Slides Credit: Sogand Sadrhaghighi

Wireless Spoofing Attacks on Mobile Devices

Presentation transcript:

By Areej Al-Bataineh University of Texas at San Antonio MIT Spam Conference 2009

3/27/2009Areej Al-Bataineh - Botnet-generated Spam 2

Botnets: “A Global Pandemic” 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 3 Botnet is a network of compromised machines (Bots) under the command and control (C&C) of one person (master) Machines become infected when users click on attachments or URLs, visit malicious/legitimate web sites, or install software from untrusted sources C&C protocols include IRC, HTTP, P2P Botnets used for attacks like DDoS, spamming, phishing, identity theft, …etc According Panda Labs, in 2Q 2008, 10 million bot computers were used to distribute spam and malware across the Internet each day

Botnets are mostly used for spamming! According to Marshal’s TRACE center : In the 1Q of 2008, about 85% of spam is generated by 6 Botnets: Mega-D, Srizbi, Storm, Pushdo, Rustock, Cutwail. 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 4 According to Symantec’s Message Labs Intelligence: The McColo ISP shutdown

Questions  How does a typical spamming botnet work?  How do botnets transmit spam?  What can be done to make it nearly impossible for botnets to deliver spam?  What tools and policies can be utilized at network edges?  What tools and policies can be utilized at mail servers? 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 5

Spamming Botnet 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 6 Botnet Master Control Servers Spammer templates lists DNS MX records Binary updates …

Questions  How does a typical spamming botnet work?  How do botnets transmit spam?  What can be done to make it nearly impossible for botnets to deliver spam?  What tools and policies can be utilized at network edges?  What tools and policies can be utilized at mail servers? 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 7

Transmission 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 8 MUA MTA MX Server MUA AliceBob

3/27/2009Areej Al-Bataineh - Botnet-generated Spam 9 Spam Transmission 1 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 9 MUA Relay Server MX Server MUA SpambotVictim Spambot forwards to an open relay server Spambot composes message according to the given template Open Relay Mail server relays to recipient mail server

3/27/2009Areej Al-Bataineh - Botnet-generated Spam 10 Spam Transmission 2 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 10 Proxy Client Proxy ServerMX Server MUA SpambotVictim Proxy server forwards traffic to a mail server Spambot initiate a proxy connection (HTTP/SOCKS) Open Proxy

Areej Al-Bataineh - Botnet-generated Spam 11 Spam Transmission 3 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 11 Proxy Client Proxy Server MX Server MUA SpambotVictim Proxy server forwards traffic through mail server of its own domain Spambot initiate a proxy connection (HTTP/SOCKS) ProxyLock MX Server

3/27/2009Areej Al-Bataineh - Botnet-generated Spam 12 Spam Transmission 4 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 12 MUA+MTA MX Server MUA Spambot Victim Spambot initiate SMTP connection with recipient mail server Direct-To-MX

Questions  How does a typical spamming botnet work?  How do botnets transmit spam?  What can be done to make it nearly impossible for botnets to deliver spam?  What tools and policies can be utilized at network edges?  What tools and policies can be utilized at mail servers? 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 13

Spam Control 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 14 MTAMX Server Message Transmission Path Router

Questions  How does a typical spamming botnet work?  How do botnets transmit spam?  What can be done to make it nearly impossible for botnets to deliver spam?  What tools and policies can be utilized at network edges?  What tools and policies can be utilized at mail servers? 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 15

Egress Spam control at Routers 1. Manage port 25 traffic (MAAWG 2008)  Block mail traffic except from designated servers In some networks, this cannot be adopted!! 2. Monitor DNS queries (Romana et al. 2008)  Identify spambots within a network  based on their frequent DNS queries for MX records Some botnets maintains DB for MX records 3. DBSpam (Xie et al. 2006)  Block/throttle spam laundry traffic  Discover proxy bots inside the network Detect proxy traffic, not regular spam traffic 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 16

Ingress Spam Control at Routers 1. Local and dynamic Blacklists (Cook et al. 2006)  Identify IPs of spambots based on spam filters  Keep IPs in blacklists for a chosen period of time Spambots have dynamic IP addresses 2. Spam streams classification (Argawal et al. 2005)  Identify bulk streams based on message similarities  Classify them as spam using a Bayesian classifier Template-based spam messages do not look similar 3. SpamFlow (Beverly & Sollins 2008)  Identify distinguishing features of spam TCP flows (RTT, idle, FIN)  Use machine learning classifier trained on open relay MTA mail connections Choosing the right features is key 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 17

Summary – Control at Routers 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 18 MethodDirectionEffect CookIn Block traffic from locally- blacklisted sources ArgawalInDetect bulk spam traffic SpamFlowInDetect spam TCP flows Manage Port 25Out Drop traffic except from legitimate outbound servers RomanaOutDetect spambots DNS MX queries DBSpamIn/OutBlock/Throttle proxy traffic

Questions  How does a typical spamming botnet work?  How do botnets transmit spam?  What can be done to make it nearly impossible for botnets to deliver spam?  What tools and policies can be utilized at network edges?  What tools and policies can be utilized at mail servers? 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 19

Spam Control at MTAs 1. forwarding best practices  Specify inbound/outbound mail servers  Different port number (not 25) and user authentication spambot knows the port # and the user credentials 2. SMTP transaction Delay  Impose delay on suspicious requests  Suspicion based on SMTP RFCs compliance checks This delay will not affect spambots 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 20

Incoming Spam Control 1. Source IP address checking  Authorized mail server (SPF, DKIM, Sender ID) Spambots domain may not have such DNS records  Blacklists 35% of spam comes from sources not listed in any blacklist 2. Greylisting  Refuse first delivery attempt, accept the second one Spambots can adapt and include this feature 3. SMTP session abort 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 21

Summary – Spam Control at Servers 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 22 MethodDirectionEffect Reject open relays In/OutBlock open relay attempts Forwarding best practices Out Drop from unauthorized users SMTP delayIn Delay spam and reduce its volume Source IP checking In Drop from untrusted servers GreylistingIn Refuse delivery attempts by untrusted sources SMTP abortIn Refuse delivery attempts from known suspicious sources

Review Anti-spam is improving, but … Why the spam volume is not decreasing? Answer: Botnets  Efficient Generation  Guaranteed Delivery Solutions: Spam control at …  Routers or network edges  Mail servers 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 23

Conclusions  Botnet-generated spam:  Brings out new challenges  Opens new directions for solutions  Intercepting spam while in transit is crucial  New solutions should consider the nature of botnet-generated spam:  Distributed  Anonymous 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 24

3/27/ Areej Al-Bataineh - Botnet-generated Spam Questions? Comments? Ideas?

3/27/ Areej Al-Bataineh - Botnet-generated Spam Extra Slides

Experiments  For each of the top spam botnet  Get a binary  Analyze it with CWSandbox  Analyze packet trace manually  Describe delivery method used 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 27

Top Spam Botnets 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 28 BotnetsizeControlRootkitSMTP engine Cutwail Pandex, Mutant (related to: Wigon, Pushdo) 175,000HTTP with encryption, multiple TCP ports YesTemplate based Rustock RKRustok, Costrat, Meredrop 130,000HTTP with encryption, TCP port 80 Yes DonBot Bachsoy 125,000Custom protocol on high TCP port No Ozdok Mega-D 120,000encrypted, TCP port 443No XarVester Rlsloup, RUcrzy 60,000HTTP on high portsYes Grum Tedroo 50,000HTTP on TCP port 80Yes Cheg Tosfee 50,000Encrypted on TCP ports 443 and 533 No CimBot Unknown 10,000encrypted, TCP ports 80 and 443 No Waledac Waled 10,000AES and RSA-encrypted, encapsulated in HTTP No A from-scratch rewrite of Storm

Botnet Activity 3/27/2009Areej Al-Bataineh - Botnet-generated Spam 29 Adopted from Damballa’s website on March 24 th, 09