0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet...
Transcript of 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet...
![Page 1: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/1.jpg)
Spampots Project
Mapping the Abuse ofInternet Infrastructure by Spammers
Klaus [email protected]
Cristine [email protected]
CERT.br – Computer Emergency Response Team BrazilNIC.br – Network Information Center Brazil
CGI.br – Brazilian Internet Steering Committee2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 1/32
![Page 2: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/2.jpg)
About CERT.br
Created in 1997 as the national focal point to handle computersecurity incident reports and activities related to networksconnected to the Internet in Brazil.
http://www.cert.br/mission.html
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 2/32
![Page 3: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/3.jpg)
Our Parent Organization: CGI.br
Among the diverse responsibilities of The BrazilianInternet Steering Committee – CGI.br, the mainattributions are:
• to propose policies and procedures related to the regulation ofthe Internet activities
• to recommend standards for technical and operationalprocedures
• to establish strategic directives related to the use anddevelopment of Internet in Brazil
• to promote studies and technical standards for the networkand services’ security in the country
• to coordinate the allocation of Internet addresses (IPs) and theregistration of domain names using <.br>
• to collect, organize and disseminate information on Internetservices, including indicators and statistics
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 3/32
![Page 4: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/4.jpg)
CGI.br/NIC.br Structure
01- Ministry of Science and Technology02- Ministry of Communications03- Presidential Cabinet04- Ministry of Defense05- Ministry of Development, Industry and Foreign Trade06- Ministry of Planning, Budget and Management07- National Telecommunications Agency08- National Council of Scientific and Technological Development09- National Forum of Estate Science and Technology Secretaries10- Internet Expert
11- Internet Service Providers12- Telecom Infrastructure Providers13- Hardware and Software Industries14- General Business Sector Users15- Non-governamental Entity16- Non-governamental Entity17- Non-governamental Entity18- Non-governamental Entity19- Academia20- Academia21- Academia
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 4/32
![Page 5: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/5.jpg)
Agenda
SpamPots Project Objectives
Architecture Overview
New DevelopmentsPartners/Members Portal
Mining Spam Campaigns
Ongoing Work
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 5/32
![Page 6: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/6.jpg)
SpamPots Project Objectives
Better understand the abuse of the Internet infrastructure byspammers
• measure the problem from a different point of view: abuseof infrastructure X spams received at the destination
• Help develop the spam characterization research
• Measure the abuse of end-user machines to send spam
• Use the spam collected to improve antispam filters
• Develop better ways to
– identify phishing and malware– identify botnets via the abuse of open proxies and
relays
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 6/32
![Page 7: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/7.jpg)
Architecture Overview
on spam content.Generate analysis based
Data Warehouse
Storage
malware, etc
Storage
Honeypots emulatingopen proxies and open relays
Spammers, bots
Statistics;
Sample e−mails, URLs, etc.
Members Portal:
campaings;Global distribution of spam
Collects all data periodically;
Checks honeypots status.
Data Collection:
Data mining process;
Data Analysis:
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 7/32
![Page 8: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/8.jpg)
Parterns Hosting Sensors• Sensors hosted by:
– AT: CERT.at– AU: AusCERT– BR: CERT.br– BR: CSIRT-USP– CL: CLCERT– NL: SURFcert– TW: TWCERT/CC– US: Univ. of Washington Tacoma– UY: CSIRT Antel
• Coming soon: AE (aeCERT), AR (CSIRT Banelco and Univ. deLa Plata), DE (Telekom-CERT), EC (Univ. de Loja), GR (FORTH,ICS), MY (MyCERT), PL (CERT Polska), UK (OX-CERT) andtwo others in US (Univ. of Alabama at Birmingham and IBM)
• And maybe one in ZAThanks to SURFcert!
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 8/32
![Page 9: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/9.jpg)
Improving cooperation in spam fighting
Provide data to trusted parties
• Help the constituency to identify infected machines
• Identify malware and scams targeting their constituency
• Currently providing data about spams coming from networksassigned to
– JP - to JADAC / IIJ / JPCERT/CC / Min. of Communicationshad a workshop in Brazil with representatives from theseorganizations and local ISPs and network providers todiscuss how to reduce spam and network abuse
– TW - to NCC-TWthey are using the data to shutdown spammersinfrastructures
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 9/32
![Page 10: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/10.jpg)
New Developments
Data capture and collection software rewritten:• spamsinkd
– non-forking multi-threaded event based designI using POE framework
– collect more details about each message– store messages in mbox format– IPv6 ready
• spamtestd
– faster response– more control over responses to test messages
• better data storage design– better disk usage– facilitate data donation– facilitate archival
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 10/32
![Page 11: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/11.jpg)
Case Study
• IP from Nigeria• abuse SOCKS Proxy in Brazil• connects at an ISP in Germany• to authenticate with a stolen credential• to send a phishing to .uk victims• with a link to a phony Egg bank site• using a South Africa domain• hosted at an IP address allocated to “UK’s largest
web hosting company based in Gloucester ”
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 11/32
![Page 12: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/12.jpg)
Case Study (cont.)
From: "Egg Bank Plc"<[email protected]>
Subject: Online Banking Secure Message Alert!
Date: Mon, 19 Apr 2010 14:46:29 +0100
X-SMTP-Proto: ESMTPA
X-Ehlo: user
X-Mail-From: [email protected]
X-Rcpt-To: <victim1>@yahoo.co.uk
X-Rcpt-To: <victim2>@yahoo.com
X-Rcpt-To: <victim3>@yahoo.co.uk
X-Rcpt-To: <victim4>@hotmail.co.uk
(...)
X-Rcpt-To: <victimN>@aol.com
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 12/32
![Page 13: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/13.jpg)
Case Study (cont.)
X-Sensor-Dstport: 1080
X-Src-Proto: SOCKS 5
X-Src-IP: 41.155.50.138
X-Src-Hostname: dial-pool50.lg.starcomms.net
X-Src-ASN: 33776
X-Src-OS: unknown
X-Src-RIR: afrinic
X-Src-CC: NG
X-Src-Dnsbl: zen=PBL (Spamhaus)
X-Dst-IP: 195.4.92.9
X-Dst-Hostname: virtual0.mx.freenet.de
X-Dst-ASN: 5430
X-Dst-Dstport: 25
X-Dst-RIR: ripencc
X-Dst-CC: DE
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 13/32
![Page 14: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/14.jpg)
Case Study (cont.)<table width="561">
<tbody><tr><td><br><font face="Arial" size="2">
You have 1 new Security Message Alert!
<br><br>
Log In into your account to review the new credit limit
terms and conditions..<br>
</font><p><font face="Arial" size="2"><br><font face="Arial">
</font></font><font face="Arial"><a rel="nofollow" target="_blank"
href="http://www.mosaic.org.za/images/index.html">
Click here to Log In</a></font></p>
<font face="Arial"> </font><font face="Arial" size="2">
</font><p><font face="Arial" size="2"><br><br>
Egg bank Online Service<br> </font></p>
<font face="Arial" size="2"> </font><hr>
<font face="Arial" size="2">
<font color="999999" size="1"> Egg bank Security
Department</font></font></td></tr></tbody></table>
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 14/32
![Page 15: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/15.jpg)
Case Study (cont.)
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 15/32
![Page 16: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/16.jpg)
Partners/Members Area
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 16/32
![Page 17: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/17.jpg)
Partners/Members Home
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 17/32
![Page 18: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/18.jpg)
Statistics last 15 minutes
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 18/32
![Page 19: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/19.jpg)
Statistics last 15 minutes – Country Codes
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 19/32
![Page 20: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/20.jpg)
Statistics last 15 minutes – ASes
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 20/32
![Page 21: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/21.jpg)
Statistics last 15 minutes – ports
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 21/32
![Page 22: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/22.jpg)
Statistics last 15 minutes – CIDRs
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 22/32
![Page 23: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/23.jpg)
Statistics last 15 minutes – IPs
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 23/32
![Page 24: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/24.jpg)
Statistics – MRTG
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 24/32
![Page 25: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/25.jpg)
Statistics – Country Codes Daily
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 25/32
![Page 26: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/26.jpg)
MiningSpam Campaigns
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 26/32
![Page 27: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/27.jpg)
Motivation
• Spampots collect a huge volume of spams(7+ million spams/day)
• How to make sense of all this data?– Data Mining!– Cluster spam messages into Spam Campaigns to
isolate the traffic associated to each spammer– Correlate spam campaign attributes to unveil different
spamming strategies
Data Mining research conducted by the e-Speed Lab,DCC/UFMG
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 27/32
![Page 28: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/28.jpg)
The Pattern Tree Approach
• Features are extracted from spam messages(subject, URLs, layout etc)
• We organize them hierarquically inserting morefrequent features on the top levels of the tree
• Campaigns delimited by sequence of invariants
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 28/32
![Page 29: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/29.jpg)
Data reduction
• The Pattern Tree grouped 350M spam messages into60K spam campaigns;
• Obfuscation patterns are naturally discovered!• Automatically deals with new and unknown campaign
obfuscation techniques
Pajek Pajek
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 29/32
![Page 30: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/30.jpg)
Ongoing Work
• comparing the views provided from differentspampots
– differences according to region/country– type of network (academic, commercial, broadband,
etc)
• factorial design experiment to determine effects ofspampots’ parameters
• investigating the connection between bots and openproxies / open relays
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 30/32
![Page 31: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/31.jpg)
Looking for Partners Interested in. . .
• Hosting a sensor
– requirements: 1 public IP address, low-end server (orVM), ≈ 1Mb/s, no filtering
– All partners will have access to all data if they want
• Receiving data
– spams, URLs, IPs abusing the sensors, etc
• Helping to improve the technology
– Analysis, capture, collection, correlation with otherdata sources, etc
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 31/32
![Page 32: 0.9cm Spampots Project 0.2cm Mapping the Abuse of Internet ... · Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers ...](https://reader035.fdocuments.in/reader035/viewer/2022062506/5f02ccd67e708231d40612a0/html5/thumbnails/32.jpg)
References
• Brazilian Internet Steering Comittee – CGI.brhttp://www.cgi.br/
• Computer Emergency Response Team Brazil – CERT.brhttp://www.cert.br/
• Previous presentations about the projecthttp://www.cert.br/presentations/
• SpamPots Project white paper (in Portuguese)http://www.cert.br/docs/whitepapers/spampots/
2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US – June, 2010 – p. 32/32