Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of...

38

Transcript of Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of...

Page 1: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 2: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 3: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 4: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 5: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 6: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 7: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 8: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 9: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 10: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 11: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 12: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 13: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.

Marketplace Ads for Goods

Page 14: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.

Marketplace Ads for Services

Page 15: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 16: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 17: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 18: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.

The Storm botnet

Overnet (UDP)‏Reachability check

Page 19: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.

Infe

cted

mac

hine

sH

oste

d in

frast

ruct

ure

TCP

HTTP

HTTPproxies

Workers

Proxybots

Botmaster

The Storm botnet

Page 20: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.

If we controlthese …

… we can monitor &influence these

Page 21: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 22: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 23: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 24: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 25: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.

Types of Storm C&C Messages

• Activation (report from bot to botmaster)• Email address harvests• Spamming instructions• Delivery reports• DDoS instructions• FastFlux instructions• HTTP proxy instructions• Sniffed passwords report• IFRAME injection/report

Page 26: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.

Spam campaign mechanics

TCP

HTTP

HTTPproxies

Workers

Proxybots

Botmaster

Page 27: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.

Campaign mechanics: harvest

TCP

HTTP

HTTPproxies

Workers

Proxybots

Botmaster

@@@@

@

@@ @

Page 28: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 29: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.

Campaign mechanics: spamming

TCP

HTTP

HTTPproxies

Workers

Proxybots

Botmaster

Page 30: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 31: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 32: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.

Campaign mechanics: spamming

TCP

HTTP

HTTPproxies

Workers

Proxybots

Botmaster

Page 33: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 34: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.

Spamalytics

Who is targeted?Who is targeted?

34

• Top 20 domains• Many Web mail & broadband

providers, but very long tail• Campaigns have nearly identical

distributions• Same scammers, or target

lists sold to multiplescammers

• Also see spam campaigns sentsolely to test accounts

Page 35: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.

Campaign mechanics: reporting

TCP

HTTP

HTTPproxies

Workers

Proxybots

Botmaster

Page 36: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 37: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.
Page 38: Scams - ICIR · Spam target email address. FQDN of sending bot, as reported to the bot as part of the preceding C&C exchange. Creates content-boundary strings for multi-part messages.

Vittuàl Robotics - (EE) EV3 Educator Vehicle · EV3 Cleanup Bot EV3 Cleanup Bot Cl eanup Bot 000 program Cleanup Bot EV3 'Cleanup Bot USB EV3 EV3

Vittuàl Robotics - (EE) EV3 Educator Vehicle · EV3 Cleanup Bot EV3 Cleanup Bot Cl eanup Bot 000 program Cleanup Bot EV3 'Cleanup Bot USB EV3 EV3

Deliverable 8.12 The ThinkNature Dissemination Videos · Emma Cianchi BOT Stefano Marrone BOT . 4 Lorenzo Rulfo BOT Martina Sala BOT ... created a storyboard, script, and preliminary

Deliverable 8.12 The ThinkNature Dissemination Videos · Emma Cianchi BOT Stefano Marrone BOT . 4 Lorenzo Rulfo BOT Martina Sala BOT ... created a storyboard, script, and preliminary

TECHNICAL GUIDE TO SECURITY REQUIREMENTS...on authoritative name server Fully Qualified Domain Name (FQDN) and Domain name system (DNS) resource records. • The FQDN of authoritative

TECHNICAL GUIDE TO SECURITY REQUIREMENTS...on authoritative name server Fully Qualified Domain Name (FQDN) and Domain name system (DNS) resource records. • The FQDN of authoritative

ICIR-SAFE · 16 – 17 November, 2016 Bad Homburg, Germany ICIR-SAFE Research and Policy Workshop. 2 232PROGAM G2WMM GEMPDRMGE2N SEARMGEYN2P 3 ... Stanislava Nikolova (University

ICIR-SAFE · 16 – 17 November, 2016 Bad Homburg, Germany ICIR-SAFE Research and Policy Workshop. 2 232PROGAM G2WMM GEMPDRMGE2N SEARMGEYN2P 3 ... Stanislava Nikolova (University

Unbroken - ICIR

Unbroken - ICIR

CAEN power supplies - UCSBhep.ucsb.edu/si_workshop2006/talks/04_060512_cdf...Crate Naming Conventions Crate 16 SVX NE Bot 4 NE Bot Bot Crate 15 SVX NE Bot 3 NE Bot Top Crate 14 SVX

CAEN power supplies - UCSBhep.ucsb.edu/si_workshop2006/talks/04_060512_cdf...Crate Naming Conventions Crate 16 SVX NE Bot 4 NE Bot Bot Crate 15 SVX NE Bot 3 NE Bot Top Crate 14 SVX

Building A Conversational Bot Using Bot Framework and Microsoft

Building A Conversational Bot Using Bot Framework and Microsoft

AQM & TCP models Courtesy of Sally Floyd with ICIR Raj Jain with OSU.

AQM & TCP models Courtesy of Sally Floyd with ICIR Raj Jain with OSU.

ANNUAL REPORT 2019 2020 - ICIR

ANNUAL REPORT 2019 2020 - ICIR

Botnets - ICIR · 2012. 11. 7. · It appears that Netcomm NB5 ADSL modems are not the only devices affected by this bot Modems with similar hardware configurations (unknown brands)

Botnets - ICIR · 2012. 11. 7. · It appears that Netcomm NB5 ADSL modems are not the only devices affected by this bot Modems with similar hardware configurations (unknown brands)

Annual Report 1An1u - ICIR

Annual Report 1An1u - ICIR

Bot vs. Bot: Evading Machine Learning Malware Detection€¦ · Bot vs. Bot: Evading Machine Learning Malware Detection ... • create ‘.text’ and populate with ‘.text from

Bot vs. Bot: Evading Machine Learning Malware Detection€¦ · Bot vs. Bot: Evading Machine Learning Malware Detection ... • create ‘.text’ and populate with ‘.text from

€¦ · THE BASIC DOCUMENTS . FOR . POSTDOCTORAL TRAINING . Adopted BOT 2/2004 . Rev. BOT 7/2004 . Rev. BOT 2/2005 . Rev. BOT 7/2006 . Rev. BOT 7/2007 . Rev. BOT 7/2008 . Rev ...

€¦ · THE BASIC DOCUMENTS . FOR . POSTDOCTORAL TRAINING . Adopted BOT 2/2004 . Rev. BOT 7/2004 . Rev. BOT 2/2005 . Rev. BOT 7/2006 . Rev. BOT 7/2007 . Rev. BOT 7/2008 . Rev ...

Hardening DNS: How to Configure Your DNS Infrastructure to … · • BLACKLIST DROP UDP IP prior to rate limiting • BLACKLIST TCP FQDN lookup • BLACKLIST UDP FQDN lookup •

Hardening DNS: How to Configure Your DNS Infrastructure to … · • BLACKLIST DROP UDP IP prior to rate limiting • BLACKLIST TCP FQDN lookup • BLACKLIST UDP FQDN lookup •

BF Bot Manager V3 and Multiple Strategies bot manual€¦ · V3 AND MULTIPLE STRATEGIES BOT 1 ©2008-2016 BF Bot Manager V3 and Multiple Strategies bot ... Betfair NG-API.

BF Bot Manager V3 and Multiple Strategies bot manual€¦ · V3 AND MULTIPLE STRATEGIES BOT 1 ©2008-2016 BF Bot Manager V3 and Multiple Strategies bot ... Betfair NG-API.

Bitimec Wash-Bot Irci-Bot

Bitimec Wash-Bot Irci-Bot

From Bot to Bot: Using a Chat Bot to Synthesize Robot Motion

From Bot to Bot: Using a Chat Bot to Synthesize Robot Motion

Express Bot

Express Bot

VMware Workspace ONE Access: Troubleshooting FQDN Updates › sites › default › files › Trouble… · Troubleshooting FQDN Updates: VMware Workspace ONE Access Operational Tutorial

VMware Workspace ONE Access: Troubleshooting FQDN Updates › sites › default › files › Trouble… · Troubleshooting FQDN Updates: VMware Workspace ONE Access Operational Tutorial

0ffice365.Co0ffice365.com_Run-Bot-SEO.info_Run_Rob(Bot)_Search_Engine_Optimizer_(SEO) to Max your m_Run-Bot-SEO.info_Run_Rob(Bot)_Search_Engine_Optimizer_(SEO) to Max Your Page Rank

0ffice365.Co0ffice365.com_Run-Bot-SEO.info_Run_Rob(Bot)_Search_Engine_Optimizer_(SEO) to Max your m_Run-Bot-SEO.info_Run_Rob(Bot)_Search_Engine_Optimizer_(SEO) to Max Your Page Rank