Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of...
Transcript of Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of...
Marketplace Ads for Goods
Marketplace Ads for Services
The Storm botnet
Overnet (UDP)Reachability check
Infe
cted
mac
hine
sH
oste
d in
frast
ruct
ure
TCP
HTTP
HTTPproxies
Workers
Proxybots
Botmaster
The Storm botnet
If we controlthese …
… we can monitor &influence these
Types of Storm C&C Messages
• Activation (report from bot to botmaster)• Email address harvests• Spamming instructions• Delivery reports• DDoS instructions• FastFlux instructions• HTTP proxy instructions• Sniffed passwords report• IFRAME injection/report
Spam campaign mechanics
TCP
HTTP
HTTPproxies
Workers
Proxybots
Botmaster
Campaign mechanics: harvest
TCP
HTTP
HTTPproxies
Workers
Proxybots
Botmaster
@@@@
@
@@ @
Campaign mechanics: spamming
TCP
HTTP
HTTPproxies
Workers
Proxybots
Botmaster
Campaign mechanics: spamming
TCP
HTTP
HTTPproxies
Workers
Proxybots
Botmaster
Spamalytics
Who is targeted?Who is targeted?
34
• Top 20 domains• Many Web mail & broadband
providers, but very long tail• Campaigns have nearly identical
distributions• Same scammers, or target
lists sold to multiplescammers
• Also see spam campaigns sentsolely to test accounts
Campaign mechanics: reporting
TCP
HTTP
HTTPproxies
Workers
Proxybots
Botmaster