Botnet-generated Spam
description
Transcript of Botnet-generated Spam
BOTNET-GENERATED SPAM
By Areej Al-BatainehUniversity of Texas at San Antonio
MIT Spam Conference 2009
Areej Al-Bataineh - Botnet-generated Spam 2
www.securitycartoon.com
3/27/2009
Areej Al-Bataineh - Botnet-generated Spam 3
Botnets: “A Global Pandemic”
3/27/2009
Botnet is a network of compromised machines (Bots) under the command and control (C&C) of one person (master)
Machines become infected when users click on email attachments or URLs, visit malicious/legitimate web sites, or install software from untrusted sources
C&C protocols include IRC, HTTP, P2P
Botnets used for attacks like DDoS, spamming, phishing, identity theft, …etc
According Panda Labs, in 2Q 2008, 10 million bot computers were used to distribute spam and malware across the Internet each day
Areej Al-Bataineh - Botnet-generated Spam 4
Botnets are mostly used for spamming!
According to Marshal’s TRACE center :In the 1Q of 2008, about 85% of spam is generated by 6 Botnets: Mega-D, Srizbi, Storm, Pushdo, Rustock, Cutwail.
3/27/2009
According to Symantec’s Message Labs Intelligence:
The McColo ISP shutdown
Areej Al-Bataineh - Botnet-generated Spam 5
Questions How does a typical spamming botnet work?
How do botnets transmit spam?
What can be done to make it nearly impossible for botnets to deliver spam?
What tools and policies can be utilized at network edges?
What tools and policies can be utilized at mail servers?
3/27/2009
Areej Al-Bataineh - Botnet-generated Spam 6
Spamming Botnet
3/27/2009
Botnet MasterControl Servers
Spammer
Email templatesEmail listsDNS MX recordsBinary updates…
Areej Al-Bataineh - Botnet-generated Spam 7
Questions How does a typical spamming botnet work?
How do botnets transmit spam?
What can be done to make it nearly impossible for botnets to deliver spam?
What tools and policies can be utilized at network edges?
What tools and policies can be utilized at mail servers?
3/27/2009
Areej Al-Bataineh - Botnet-generated Spam 8
Email Transmission
3/27/2009
MUA
MTA MX Server
MUA
Alice Bob
Areej Al-Bataineh - Botnet-generated Spam 93/27/2009
Spam Transmission 1
3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 9
MUA
Relay Server MX Server
MUA
Spambot Victim
Spambot forwards email to an open relay server Spambot composes message according to the given template
Open Relay
Mail server relays email to recipient mail server
Areej Al-Bataineh - Botnet-generated Spam 103/27/2009
Spam Transmission 2
3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 10
Proxy Client
Proxy Server MX Server
MUA
Spambot Victim
Proxy server forwards email traffic to a mail serverSpambot initiate a proxy connection (HTTP/SOCKS)
Open Proxy
Areej Al-Bataineh - Botnet-generated Spam 11
Spam Transmission 3
3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 11
Proxy Client
Proxy ServerMX Server
MUA
Spambot Victim
Proxy server forwards email traffic through mail server of its own domainSpambot initiate a proxy connection (HTTP/SOCKS)
ProxyLock
MX Server
Areej Al-Bataineh - Botnet-generated Spam 123/27/2009
Spam Transmission 4
3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 12
MUA+MTA
MX Server
MUA
SpambotVictim
Spambot initiate SMTP connection with recipient mail server
Direct-To-MX
Areej Al-Bataineh - Botnet-generated Spam 13
Questions How does a typical spamming botnet work?
How do botnets transmit spam?
What can be done to make it nearly impossible for botnets to deliver spam?
What tools and policies can be utilized at network edges?
What tools and policies can be utilized at mail servers?
3/27/2009
Areej Al-Bataineh - Botnet-generated Spam 14
Spam Control
3/27/2009
MTA MX Server
Message Transmission Path
Router Router
Areej Al-Bataineh - Botnet-generated Spam 15
Questions How does a typical spamming botnet work?
How do botnets transmit spam?
What can be done to make it nearly impossible for botnets to deliver spam?
What tools and policies can be utilized at network edges?
What tools and policies can be utilized at mail servers?
3/27/2009
Areej Al-Bataineh - Botnet-generated Spam 16
Egress Spam control at Routers
1. Manage port 25 traffic (MAAWG 2008) Block mail traffic except from designated servers
In some networks, this cannot be adopted!!
2. Monitor DNS queries (Romana et al. 2008) Identify spambots within a network based on their frequent DNS queries for MX records
Some botnets maintains DB for MX records
3. DBSpam (Xie et al. 2006) Block/throttle spam laundry traffic Discover proxy bots inside the network
Detect proxy traffic, not regular spam traffic
3/27/2009
Areej Al-Bataineh - Botnet-generated Spam 17
Ingress Spam Control at Routers
1. Local and dynamic Blacklists (Cook et al. 2006) Identify IPs of spambots based on spam filters Keep IPs in blacklists for a chosen period of time
Spambots have dynamic IP addresses 2. Spam streams classification (Argawal et al. 2005)
Identify bulk email streams based on message similarities Classify them as spam using a Bayesian classifier
Template-based spam messages do not look similar3. SpamFlow (Beverly & Sollins 2008)
Identify distinguishing features of spam TCP flows (RTT, idle, FIN)
Use machine learning classifier trained on open relay MTA mail connections
Choosing the right features is key
3/27/2009
Areej Al-Bataineh - Botnet-generated Spam 18
Summary – Control at Routers
3/27/2009
Method Direction Effect
Cook In Block email traffic from locally-blacklisted sources
Argawal In Detect bulk spam traffic
SpamFlow In Detect spam TCP flows
Manage Port 25 Out
Drop email traffic except from legitimate outbound servers
Romana Out Detect spambots DNS MX queries
DBSpam In/Out Block/Throttle proxy traffic
Areej Al-Bataineh - Botnet-generated Spam 19
Questions How does a typical spamming botnet work?
How do botnets transmit spam?
What can be done to make it nearly impossible for botnets to deliver spam?
What tools and policies can be utilized at network edges?
What tools and policies can be utilized at mail servers?
3/27/2009
Areej Al-Bataineh - Botnet-generated Spam 20
Spam Control at MTAs
1. Email forwarding best practices Specify inbound/outbound mail servers Different port number (not 25) and user
authenticationspambot knows the port # and the user
credentials
2. SMTP transaction Delay Impose delay on suspicious requests Suspicion based on SMTP RFCs compliance
checksThis delay will not affect spambots
3/27/2009
Areej Al-Bataineh - Botnet-generated Spam 21
Incoming Spam Control
1. Source IP address checking Authorized mail server (SPF, DKIM, Sender ID)
Spambots domain may not have such DNS records Blacklists
35% of spam comes from sources not listed in any blacklist
2. Greylisting Refuse first delivery attempt, accept the second one
Spambots can adapt and include this feature
3. SMTP session abort
3/27/2009
Areej Al-Bataineh - Botnet-generated Spam 22
Summary – Spam Control at Servers
3/27/2009
Method Direction Effect
Reject open relays In/Out Block open relay attemptsForwarding best practices
Out Drop email from unauthorized users
SMTP delay In Delay spam and reduce its volume
Source IP checking In Drop email from untrusted
servers Greylisting In Refuse delivery attempts
by untrusted sources
SMTP abort InRefuse delivery attempts from known suspicious sources
Areej Al-Bataineh - Botnet-generated Spam 23
Review
Anti-spam is improving, but …Why the spam volume is not decreasing?
Answer: Botnets Efficient Generation Guaranteed Delivery
Solutions: Spam control at … Routers or network edges Mail servers
3/27/2009
Areej Al-Bataineh - Botnet-generated Spam 24
Conclusions Botnet-generated spam:
Brings out new challenges Opens new directions for solutions
Intercepting spam while in transit is crucial
New solutions should consider the nature of botnet-generated spam: Distributed Anonymous
3/27/2009
26Areej Al-Bataineh - Botnet-generated Spam3/27/2009
Extra Slides
Areej Al-Bataineh - Botnet-generated Spam 27
Experiments For each of the top spam botnet
Get a binary Analyze it with CWSandbox Analyze packet trace manually Describe delivery method used
3/27/2009
Areej Al-Bataineh - Botnet-generated Spam 28
Top Spam Botnets
3/27/2009
Botnet size Control Rootkit SMTP engineCutwailPandex, Mutant (related to: Wigon, Pushdo)
175,000 HTTP with encryption, multiple TCP ports
Yes Template based
RustockRKRustok, Costrat, Meredrop
130,000 HTTP with encryption, TCP port 80
Yes
DonBotBachsoy
125,000 Custom protocol on high TCP port
No
OzdokMega-D
120,000 encrypted, TCP port 443 No
XarVesterRlsloup, RUcrzy
60,000 HTTP on high ports Yes
Grum Tedroo
50,000 HTTP on TCP port 80 Yes
ChegTosfee
50,000 Encrypted on TCP ports 443 and 533
No
CimBotUnknown
10,000 encrypted, TCP ports 80 and 443
No
Waledac Waled
10,000 AES and RSA-encrypted, encapsulated in HTTP
No A from-scratch rewrite of Storm
Areej Al-Bataineh - Botnet-generated Spam 29
Botnet Activity
3/27/2009
Adopted from Damballa’s website on March 24th, 09