The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming Botnet Mitigation
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming Botnet Mitigation

  • 837 views
Uploaded on

Unsolicited bulk email, or spam, accounts for more than 90% of worldwide email traffic. The underground economy behind email spam is prosperous, and involves parties located in many parts of the......

Unsolicited bulk email, or spam, accounts for more than 90% of worldwide email traffic. The underground economy behind email spam is prosperous, and involves parties located in many parts of the world. Nowadays, most spam is sent by botnets, which are large networks of compromised computers that act under the control of a single entity, called a botmaster. Security researchers have entered an arms race with spammers and botmasters. The goal of researchers is to secure networks and prevent malicious operations from happening, while the goal of cybercriminals is to keep their business up and running.

In this talk I will analyze the outcome of this arms race. On one side, I will talk about the different levels of sophistication the botmasters developed to make their network resilient to take down attempts. On the research side, I will analyze the approaches proposed to prevent machines from being infected, identifying compromised ones, and disrupting command and control structures. In particular, I will focus on the shortcomings of previous approaches, as well as open problems in the area and the areas that have not been studied yet.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
837
On Slideshare
831
From Embeds
6
Number of Embeds
1

Actions

Shares
Downloads
14
Comments
0
Likes
1

Embeds 6

http://www.linkedin.com 6

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming Botnet Mitigation Gianluca Stringhini Major Area Exam December 5, 2011
  • 2. What is spam? Spam is a big problem Everyone receives spam 90-95% of emails are spam Organic vs. Junk food Spam vs. Ham We need a definition a computer can understand Unsolicited Bulk Email
  • 3. Early days spamSpam as a hobbyBusinesses ran from home’s basementCAN-SPAM Act (2003)Doesn’t forbid to spam, but the spammerhas to be nice.$16k fine per violating emailThe world is bigNot every country prosecutes spammers
  • 4. Modern spam
  • 5. Modern spam 1 Affiliate programs [Samosseiko 2009] Are banks the weak link? [Levchenko 2011] 1 source: Levchenko et al., Click Trajectories: End-to-End Analysis of theSpam Value Chain
  • 6. Is Spam Profitable?Yes, it isEstimates between $300k and $1M a month for large affiliateprograms [Kanich 2008, Kanich 2011]Relatively low risk Small fishes are the ones who get caught The geographic dispersion makes coordinated actions difficult
  • 7. How is Spam Delivered?BotnetsBotnets are networks of compromised computers that act under thecontrol of a single entity (Botmaster)What are botnets used for? Running DoS Stealing Information Solving Captchas Sending spamBotnets are responsible for 85% of worldwide spamWhy botnets?Botnets combine the best of two worlds: worms and IRC botsResearchers and Botmasters are involved in an arms race
  • 8. Botnet Evolution
  • 9. Botnet Evolution - Structure SDBot 2002
  • 10. Botnet Evolution - StructureIRC botnetsThe C&C is an IRC serverBots join a channel and get ordersProblems Researchers can join the channel too DNS sinkholing is possible
  • 11. Botnet Evolution - Structure MyDoom 2004
  • 12. Botnet Evolution - StructureProprietary protocol botnetsThe C&C uses a proprietary encrypted protocolTwo architectures: Pull architecture Push architectureProblems Researchers can reverse engineer the protocol DNS sinkholing is still possible
  • 13. Botnet Evolution - Structure Lethic 2007
  • 14. Botnet Evolution - StructureMultiple tier botnetsThe bots don’t connect directly to the C&CThe domains used by the proxies use Fast FluxFast FluxTechnique similar to Round-robin DNS and CDNsGive high reliability for the botnet backbone Many IP addresses associated to a domain Low TTL, the record changes all the time
  • 15. Botnet Evolution - StructureProblemThe domains used can still be sinkholed / blacklistedThe solutionDomain Generation AlgorithmsBots contact a domain according to a time-dependent algorithmUsed by Torpig (2008)ProblemsThe algorithm can be reverse engineered [StoneGross 2009a]Botmasters can add non-determinism (e.g., Twitter trends)
  • 16. Botnet Evolution - Structure Storm 2007
  • 17. Botnet Evolution - StructurePeer-to-peer botnetsBots with private IPs act as workersBots with public IPs act as proxiesWorkers find proxies based on some overnet protocolProblemProxies are not under the control of the botmasterResearchers can impersonate a proxy and infiltrate the botnet
  • 18. Botnet Evolution - Infection modelWorm-like spreadThe bot scans the network for vulnerabilities and propagatesNon-spreading botsInfections are propagated through Drive-by-download websites [Provos 2008, StoneGross 2011] Email attachmentsPay-per-InstallThe new trend is paying third parties for “installing” a certain numberof bots [Caballero 2011]
  • 19. Botnet and Spam Mitigation
  • 20. Botnet and Spam MitigationMany Possible Vantage Points
  • 21. Host-based detection
  • 22. Host-based detectionTraditional anti-virus approachLook for the presence of virus specific instructions in the binariesAntiviruses can be fooled by simple obfuscations[Christodorescu 2003, Christodorescu 2004]ObfuscationsNOP insertion and code transposition are usually enough Metamorphic malware Polymorphic malware
  • 23. Host-based detectionStatic analysisTake program semantics into account [Christodorescu 2003,Christodorescu 2005]Dynamic analysisModel the behavior of a program (e.g., using system calls)[Kolbitsch 2009]Monitor access to sensitive information [Yin 2007]Reverse engineer of the C&C protocol [Caballero 2009]ProblemsProgram equivalence is undecidable!Analysis of samples takes time and resources
  • 24. Malicious Web Pages Detection
  • 25. Malicious Web Pages DetectionInfection happening through browser exploits are a big problemDetecting Drive-by-Download pagesMalicious Javascript can be detected by: Emulation [Cova 2010] Monitoring system changes [Provos 2008] Hooking runtime [Curtsinger 2011, Heiderich 2011] Look for common attack patterns (e.g., heap spray) [Ratanaworabhan 2009]Problems The analysis could be detected These systems might not detect newer attacks
  • 26. Command and Control based Detection
  • 27. Command and Control-based DetectionIRC server infiltration [AbuRajab2006]Protocol Reverse EngineeringProtocol reverse engineering by active probing [Cho 2010a]This enables botnet infiltration [Stock 2009, Kreibich 2009,Cho 2010b]Botnet TakeoversReverse engineering of DGAs [StoneGross 2009a]This enables C&C impersonation [StoneGross 2009a]
  • 28. HoneypotsRunning bots in virtual machines allows to learn important botnetfeatures [John 2009]This can be used for Blacklisting the domains that host C&C servers [StoneGross 2009b] Performing botnet takedowns [StoneGross 2011]Problems Bots might detect virtualization [Balzarotti 2010] Containment problems arise [Kreibich 2011]
  • 29. DNS Based Detection
  • 30. DNS Based DetectionDetecting infected IPsDNS sinkhole [Dagon 2006]Look for DNS cached results [AbuRajab 2006]Detect Fast-Flux DomainsFast Flux domains present very different characteristics thanlegitimate ones [Holz 2008, Passerini 2008, Hu 2009] IPs belong to different networks TTL is low results change very frequently
  • 31. DNS Based DetectionDetecting Malicious DomainsIt is possible to build classifiers to detect malicious domains Passive analysis of RDNSs queries [Antonanakis 2010, Bilge 2011] Limitation: only local view Analysis at the authoritative server level or TLDs [Antonanakis 2011] Limitation: it can be evaded using diverse DNS servers
  • 32. SMTP based Detection
  • 33. SMTP based Detection: Content AnalysisRule-based Spam Detection The nature of spam changes over time Having a binary decision introduces problems.Machine Learning Bayesian Filtering: uses na¨ Bayes [Sahami 1998, ıve Androutsopolous 2000] Support Vector Machines [Drucker 1999]Problems Feature selection has to be performed “Good word” attacks are possible [Lowd 2005, Karlserger 2007]
  • 34. SMTP based Detection: Content AnalysisAssign a Reputation to Received EmailsDifferent features between spam and ham [Hao 2009]Building Signatures from Spam[Pitsillidis 2010] ran bots and assigned templates to different botnetsDetect Spam by Looking at URLs Study the URL structure [Xie 2008, Ma 2009] Learning features from the landing page [Thomas 2011]Problem In general, content analysis is expensive
  • 35. SMTP based Detection: IP BlacklistingDNS-based blacklistsMailservers can query the service to know whether an individual IP isa known spammerProblems Low coverage [Ramachandran 2006a, Sinha 2008] Bot machines have dynamic IPs What happens when IPv6 takes over?Better Approaches IP reputation [Ramachandran 2006b, Sinha 2010, Qian 2010] Behavioral blacklisting [Ramachandran 2007, Stringhini 2011]
  • 36. SMTP based Detection: PoliciesGreylistingIf a delivery temporary fails, spambots will not try againEasy to bypass and prone to false positives [Levine 2005]Multi-level greylisting [Janecek 2008]Sender ValidationSpam pretends to come from legitimate addressesSPF,DomainKeys,DKIM [Leiba 2007]The solution chosen by GoogleUser voting on spam and ham [Taylor 2006]Main problem: Spam hits server performances!Mail prioritization systems [Twining 2004, Venkataraman 2007]
  • 37. Social Network Detection
  • 38. Social Network DetectionOnline Social Networks are very successfulUsers are not as risk aware as they are with email spamMiscreants create fake profiles to spread spamSystems to detect fake profiles have been developed[Benvenuto 2010, Lee 2010, Stringhini 2010, Yang 2011a,Yang 2011b]Real accounts that get compromised are more valuable45% of social network users click on any link by their friends[Bilge 2009]89% of profiles sending malicious content on Facebook arecompromised [Gao 2010]
  • 39. Network Edge Detection
  • 40. Intrusion DetectionSignature-based intrusion detectionSnort,Bro [Paxson 1998]Problems Constant need of new rules Problems with encrypted trafficAnomaly-based intrusion detectionThe system learns the “normal” behavior of a network and flagsanomalies [Portnoy 2001, Kruegel 2002, Wang 2004]Problems What is ”normal“ behavior? It is hard to get traffic that is free of infections
  • 41. Network Edge DetectionDetecting Successful InfectionsBotnet infection can as a set of communication flows [Gu 2007]Problem: what’s the infection model of a botnet?Detecting Malicious ActivityCorrelation between C&C commands and malicious activity[Gu 2008a]How to identify C&C traffic? Well-known protocols (e.g., IRC, HTTP) [Gu 2008b] Look for malicious activity first [Wurzinger 2010]Leverage Previous KnowledgeDetect hosts that contact the same IPs as infected machines[Coskun 2010]
  • 42. Conclusions
  • 43. How About the Future?The arms race between researchers and cybercriminals is far frombeing overIs security research like fighting the Hydra?
  • 44. Future DirectionsBotmasters will keep developing more sophisticated techniquesHowever, a functional botnet has to interact with legitimate services DNS servers SMTP servers Web servers Social NetworksThis interaction cannot be obfuscated!
  • 45. My ResearchIn my research, I focus on analyzing how bots interact withlegitimate, third party servicesBots can be distinguished from real users in the way they use suchservicesThe main reason is that bots have a different goal than real users: Fast interaction vs. Good user experience
  • 46. My ResearchSo far, I have been looking at:Social Networks How fake accounts differ from legitimate ones [ACSAC 2010] How users behavior change once an account is compromised [In submission]SMTP serversDistinguishing bots: based on the destinations they target [USENIX 2011] based on the (wrong) way in which they implement SMTP [Work in progress]
  • 47. My ResearchOther interesting areas: Login patterns on Social Networks Interaction with search engines (e.g., SEO)What if bots started behaving like legitimate users / programs?This conflicts with their goal!
  • 48. Thanks!email: gianluca@cs.ucsb.edutwitter: @gianlucaSB