Your SlideShare is downloading. ×
0
How To Catch A Hidden Spammer
How To Catch A Hidden Spammer
How To Catch A Hidden Spammer
How To Catch A Hidden Spammer
How To Catch A Hidden Spammer
How To Catch A Hidden Spammer
How To Catch A Hidden Spammer
How To Catch A Hidden Spammer
How To Catch A Hidden Spammer
How To Catch A Hidden Spammer
How To Catch A Hidden Spammer
How To Catch A Hidden Spammer
How To Catch A Hidden Spammer
How To Catch A Hidden Spammer
How To Catch A Hidden Spammer
How To Catch A Hidden Spammer
How To Catch A Hidden Spammer
How To Catch A Hidden Spammer
How To Catch A Hidden Spammer
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

How To Catch A Hidden Spammer

1,354

Published on

Find out out how easily detect and stop a hidden spammer. These methods will protect you and your company from spam and will keep you from getting flagged as a spammer.

Find out out how easily detect and stop a hidden spammer. These methods will protect you and your company from spam and will keep you from getting flagged as a spammer.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,354
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
90
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. HOW TO FIND AHIDDEN SPAMMERBy Andrew BrandtSolera Networks
  • 2. HOW IT STARTSThe typical spam campaign startswith a social engineering hook,which attempts to convince thereader to click a link in themessage body.
  • 3. SAY HELLO TO MALWAREThese links can lead to pageshosting malware .EXE files insideof .ZIP folders.They can also use browser exploitsto force and install on thevictims computer.
  • 4. THESE ARE STEPPING STONESThese specialized Trojans retrieveinstructions from a command-and-control server that include thebody of the spam message, and alist of mail servers and victimemail addresses to which theTrojan sends the messages.
  • 5. HOW THEY WORKThese Trojans retrieve instructionsfrom a server that include thebody of the spam message, and alist of mail servers and victimemail addresses to which theTrojan sends the messages.
  • 6. THE GOOD NEWS / THE BAD NEWSGOOD NEWSEasy to identify and segregate theoffending machines.BAD NEWSThousands more people could endup receiving malicious messages— which might result in your ownnetwork ending up on a spamblacklist
  • 7. USING THE RIGHT TOOLS Using Soleras DeepSee, it detected that in just 20 seconds the Trojan dispatched 181 identical messages.
  • 8. USING DEEPSEEUsing DeepSee, you can take note of theIP address(es) of your usual mailservers, then create a Favorite withqueries. ipv4_address!=your_mail_server application_id=SMTPThat will bring to the fore all non-mailservers that are sending email usingthe SMTP protocol.
  • 9. SETTING UP ALERTSOnce you’ve created that Favorite, youcan set up alerts to watch for trafficmatching the rule. Typical maliciousbehavior might involve a large volume ofmail being sent by machines meetingthese criteria in a short period of time.The most obvious standouts will besending messages at odd hours, such aswhen nobody should be at work(holidays/weekends).
  • 10. CATCHING THE SLOWER ONESLook at the traffic generatedby a much more low-keyspam relay Trojan. TheTrojan responsible sentthese Canadian pharmacy,knockoff watch, and “datingsite” spams, transmitted ata much slower rate of abouttwo messages per minute.While the volume may keepthe messages under theradar, you might considersetting up alerts looking forthe subject matter of themessages.
  • 11. CATCHING THE SLOWER ONES Detect and extract the command-and-control traffic between the infected host and its botnet HQ. Spam relay Trojans must receive instructions, or they can’t do their job. Check out this extraction of traffic generated by just such a Trojan.
  • 12. CATCHING THE SLOWER ONES The CnC traffic is made even more obvious by its inclusion of a second, extraneous port number" (Hint: Search for http_uri~:8080:80 in the Path Bar.)
  • 13. MORE DISCOVERIESOnce you find the CnC traffic, extractioncan lead to more discoveries, but in thiscase, the traffic seems to be unreadable.
  • 14. IS IT REALLY UNREADABLE?Well, unreadable but not indecipherable. A little bit-shifting of the binary data in this artifact reveals thetrue contents of the CnC message. The first set ofCnC exchanges usually include all the instructionsthe bot needs, such as…
  • 15. HOW TO DECODE …the message body of the spam it will send…
  • 16. HOW TO DECODE …the link to the site hosting the malicious code, which will be embedded in the message…
  • 17. HOW TO DECODE…and, to my utterly astonished amusement, a list of CnC server IP addresses the botmaster will use to control the Trojan.
  • 18. THE LAST EXERCISEThis last one really makes the whole exerciseworthwhile:The bot itself downloads these IPs every time itchecks in with the CnC server. In essence, it’skeeping us updated with a list of who the bot cantalk to.
  • 19. Read the full article here

×