Lessons in Botnets: The After-effects of ISP Takedowns Alex Shipp Symantec Hosted Services Session ID: HT1-202  Session Cl...
AGENDA 2 Insert presenter logo here on slide master Brief History of Spamming ISP Takedowns Botnet Evolution What happens ...
3 A Brief History How spammers have changed over time 7 Insert presenter logo here on slide master
Spam Volume History 4 MessageLabs Intelligence Insert presenter logo here on slide master
Spamming Circa 2002 - Work from home! 5 Insert presenter logo here on slide master
Spamming Circa 2002 <ul><li>FBI found multiple servers in the basement </li></ul><ul><li>High Volume Email Deployment serv...
What Changed? <ul><li>Spammer tools improved </li></ul><ul><ul><li>Sold online, with support contracts </li></ul></ul><ul>...
Example Spammer Tool - SendSafe Mailer 8 8 Insert presenter logo here on slide master
Spam Laws (US) <ul><li>Trespass to Chattels </li></ul><ul><ul><li>Used by AOL to sue Netvision among others </li></ul></ul...
2004 - The Game Changer <ul><li>MyDoom </li></ul><ul><ul><li>The birth of spam sending botnets </li></ul></ul><ul><li>Larg...
Where are we now? 11 11 Insert presenter logo here on slide master
A Massive Underground Spam Economy <ul><li>Over a hundred billion spam emails sent per day </li></ul><ul><li>Cheap to get ...
ISP Takedowns The effect of removing rogue ISPs Insert presenter logo here on slide master
Intercage/Atrivo - 2008 <ul><li>Generic hosting provider </li></ul><ul><li>Originally linked to Russian Business Network (...
Intercage shutdown – 08 Sept 2008 <ul><li>Global Crossing started to de-peer them </li></ul><ul><li>Others followed </li><...
Ozdok/Mega-D <ul><li>C&C hosted on Intercage </li></ul><ul><li>150k hosts sending spam at any one time </li></ul>16 16 Ins...
Intercage - the aftermath <ul><li>Mega-D quickly found new C&C </li></ul><ul><ul><li>Back up and running in a few weeks </...
McColo - the big bad ISP <ul><li>San Jose Co-location ISP </li></ul><ul><li>Mailing address is a P.O. box in Delaware </li...
McColo Visual Badware 19 19 Image courtesy of Washington Post: http://voices.washingtonpost.com/securityfix/2008/11/the_ba...
What happened? <ul><li>Brian Krebs decided to write an article for the Washington Post... </li></ul><ul><ul><li>http://blo...
Graph of spams/sec on our spamtrap 21 21 Insert presenter logo here on slide master
Which Botnets? <ul><li>Srizbi </li></ul><ul><li>Mega-D </li></ul><ul><li>RuStock </li></ul><ul><li>Asprox </li></ul><ul><l...
Asprox <ul><li>100k IPs </li></ul><ul><li>Specifically built for phishing and SQL injection attacks </li></ul><ul><li>SQL ...
Gheg <ul><li>500k IPs </li></ul><ul><li>Misidentified by almost all AV as Virtumonde/Mondera or Tofsee or Saturn Proxy (no...
Srizbi <ul><li>1.3 million IPs </li></ul><ul><li>Kernel level SMTP engine </li></ul><ul><ul><li>Avoids software firewalls ...
Cutwail <ul><li>Had some C&C at McColo, but appears more distributed </li></ul><ul><li>Started sending even more spam than...
Bobax <ul><li>Somewhat affected by the shutdown </li></ul><ul><li>Other shutdowns after McColo did more damage </li></ul><...
What happened next? <ul><li>McColo scramble to try and get new peering </li></ul><ul><li>Manage to catch Telia (AS1299) of...
The McColo Effect 29 29 Insert presenter logo here on slide master
Pricewert/3FN <ul><li>FTC forced shutdown in early June 2009 </li></ul><ul><li>Another actively malicious hosting provider...
Cutwail <ul><li>Currently about 600k IPs </li></ul><ul><li>In the past was the highest traffic botnet </li></ul><ul><li>Al...
Cutwail Shutdown 32 32 Insert presenter logo here on slide master
Cutwail Shutdown - Recovery <ul><li>Sadly didn’t last </li></ul><ul><li>Shut down occurred late on a Friday </li></ul><ul>...
The Current State of Botnets - end of 2009 34 34 Insert presenter logo here on slide master
The Current State of Botnets - end of 2009 % of total spam 35 35 Insert presenter logo here on slide master
Overall Effect of ISP Takedowns <ul><li>Botnet spam 2008: 90.2% </li></ul><ul><li>Botnet spam 2009: 83.4% </li></ul><ul><l...
Botnet Evolution They just won’t die!
What can the bots do? <ul><li>C&C IPs were hard coded in most botnets </li></ul><ul><ul><li>Some have backup domain names,...
The Cutwail (Pricewert) Shutdown <ul><li>2 days (of weekend - owners on vacation?) </li></ul><ul><li>Straight back to full...
Weak Encryption <ul><li>Initial implementations used weak encryption algorithms </li></ul><ul><ul><li>Guessable by researc...
Forced Evolution <ul><li>Unfortunately playing this game evolves botnets </li></ul><ul><li>Improved encryption </li></ul><...
C&C Communication <ul><li>Most botnets used IRC in 2008 (Storm being the exception) </li></ul><ul><li>Now common to use HT...
Faster Delivery <ul><li>Early botnets would use Windows threads to send multiple messages </li></ul><ul><li>Newer botnets ...
What Happens Next? And how do we stop these nasties? Insert presenter logo here on slide master
What happens next? <ul><li>Botnets  will  evolve. They have to. </li></ul><ul><li>LOTS of money is involved </li></ul><ul>...
What we’ll see more of... <ul><li>P2P communication </li></ul><ul><li>Public Key Encryption between bots and C&C </li></ul...
Supporting the current model <ul><li>Botnet owners will better monitor for C&C shutdown </li></ul><ul><li>Shutdown recover...
How can this be stopped? <ul><li>Technology is not  the  answer </li></ul><ul><ul><li>It’s a part of the equation - requir...
Conclusions Insert presenter logo here on slide master
How to apply this <ul><li>http://www.messagelabs.com/intelligence.aspx </li></ul><ul><li>Hosting Providers: </li></ul><ul>...
Upcoming SlideShare
Loading in …5
×

RSA2010: Alex Shipp - Lessons in Botnets: The After-effects of ISP Takedowns

2,236 views

Published on

RSA Conference 2010
Lessons in Botnets: The After-effects of ISP Takedowns

Alex Shipp
Symantec Hosted Services

Session ID: HT1-202
Session Classification: Advanced


The takedown of four major ISPs over the past year has offered deep insight into spamming behavior and the life expectancy of some of the most powerful botnets ever known. With the demise of Intercage, McColo, Pricewert and Real Host, spam levels dropped to some of the lowest levels ever seen, but then quickly rose again in varying capacities. What have we learned about botnets from these landmark events and how can we use this intelligence to better track and defeat them?

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,236
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • The takedown of four major ISPs over the past year has offered deep insight into spamming behavior and the life expectancy of some of the most powerful botnets ever known. With the demise of Intercage, McColo, Pricewert and Real Host, spam levels dropped to some of the lowest levels ever seen, but then quickly rose again in varying capacities. What have we learned about botnets from these landmark events and how can we use this intelligence to better track and defeat them?
  • e.g. registering domain names was expensive when it got into the tens of names.
  • RSA2010: Alex Shipp - Lessons in Botnets: The After-effects of ISP Takedowns

    1. 1. Lessons in Botnets: The After-effects of ISP Takedowns Alex Shipp Symantec Hosted Services Session ID: HT1-202 Session Classification: Advanced Insert presenter logo here on slide master
    2. 2. AGENDA 2 Insert presenter logo here on slide master Brief History of Spamming ISP Takedowns Botnet Evolution What happens next?
    3. 3. 3 A Brief History How spammers have changed over time 7 Insert presenter logo here on slide master
    4. 4. Spam Volume History 4 MessageLabs Intelligence Insert presenter logo here on slide master
    5. 5. Spamming Circa 2002 - Work from home! 5 Insert presenter logo here on slide master
    6. 6. Spamming Circa 2002 <ul><li>FBI found multiple servers in the basement </li></ul><ul><li>High Volume Email Deployment servers – 30 million emails a day </li></ul><ul><li>Ralsky purchased multiple IP addresses to continually evade blocklists </li></ul><ul><li>Pretended to be an ISP so he could trash complaints </li></ul><ul><li>Most spammers operating this way in 2002 </li></ul>6 6 Insert presenter logo here on slide master
    7. 7. What Changed? <ul><li>Spammer tools improved </li></ul><ul><ul><li>Sold online, with support contracts </li></ul></ul><ul><li>Some spammers sued, some arrested </li></ul><ul><li>Spammers moved “underground” </li></ul><ul><li>Switched to botnets for mail distribution </li></ul><ul><li>Many migrated operations overseas </li></ul>7 7 Insert presenter logo here on slide master
    8. 8. Example Spammer Tool - SendSafe Mailer 8 8 Insert presenter logo here on slide master
    9. 9. Spam Laws (US) <ul><li>Trespass to Chattels </li></ul><ul><ul><li>Used by AOL to sue Netvision among others </li></ul></ul><ul><li>Various state anti-spam laws </li></ul><ul><li>2003 – the CAN-SPAM act </li></ul><ul><ul><li>First successful suit in June 2007 – Jeffrey A. Kilbride got 6 years. </li></ul></ul>9 Insert presenter logo here on slide master
    10. 10. 2004 - The Game Changer <ul><li>MyDoom </li></ul><ul><ul><li>The birth of spam sending botnets </li></ul></ul><ul><li>Largest botnets now MILLIONS of PCs </li></ul><ul><ul><li>6 or 7 of these “Megabotnets” </li></ul></ul><ul><li>90% of spam sent via botnets </li></ul><ul><li>Botnets now rented out by “botherds” </li></ul><ul><ul><li>Part of an entire underground economy </li></ul></ul>10 Insert presenter logo here on slide master
    11. 11. Where are we now? 11 11 Insert presenter logo here on slide master
    12. 12. A Massive Underground Spam Economy <ul><li>Over a hundred billion spam emails sent per day </li></ul><ul><li>Cheap to get into: </li></ul><ul><ul><li>Malware Writer - $300-$3500, $25-$50/update </li></ul></ul><ul><ul><li>Botnet Owner - $10/million - $200/hour </li></ul></ul><ul><ul><li>Drop Website Developers - $200-$2000/site </li></ul></ul><ul><li>Virus/trojan infections increase - unabated by advances in malware detection </li></ul><ul><li>“ Fake” ISPs set up just to host badware </li></ul>12 12 Insert presenter logo here on slide master
    13. 13. ISP Takedowns The effect of removing rogue ISPs Insert presenter logo here on slide master
    14. 14. Intercage/Atrivo - 2008 <ul><li>Generic hosting provider </li></ul><ul><li>Originally linked to Russian Business Network (RBN) </li></ul><ul><li>Hosted malware, botnet C&Cs </li></ul><ul><li>Run by Emil Kacperski out of California </li></ul><ul><li>http://hostexploit.com/downloads/Atrivo%20white%20paper%20082808ac.pdf or http://bit.ly/5y1UhI </li></ul><ul><ul><li>Paper gives extensive details on this criminal nature of Atrivo </li></ul></ul>14 Insert presenter logo here on slide master
    15. 15. Intercage shutdown – 08 Sept 2008 <ul><li>Global Crossing started to de-peer them </li></ul><ul><li>Others followed </li></ul><ul><li>Eventually completely out by 27 Sept 2008 </li></ul><ul><li>Result: </li></ul><ul><ul><li>Esthosts/Estdomains out for several days </li></ul></ul><ul><ul><li>Ozdok/Mega-D almost completely killed... </li></ul></ul>15 15 Insert presenter logo here on slide master
    16. 16. Ozdok/Mega-D <ul><li>C&C hosted on Intercage </li></ul><ul><li>150k hosts sending spam at any one time </li></ul>16 16 Insert presenter logo here on slide master
    17. 17. Intercage - the aftermath <ul><li>Mega-D quickly found new C&C </li></ul><ul><ul><li>Back up and running in a few weeks </li></ul></ul><ul><ul><li>Almost eradicated via community action in November 2009 </li></ul></ul><ul><li>Esthosts/Estdomains found new hosting quickly </li></ul><ul><li>No major pain for the big players </li></ul>17 17 Insert presenter logo here on slide master
    18. 18. McColo - the big bad ISP <ul><li>San Jose Co-location ISP </li></ul><ul><li>Mailing address is a P.O. box in Delaware </li></ul><ul><li>Started by a 19 year old Russian </li></ul><ul><li>Hosting malware, child porn, botnet C&Cs, phishing </li></ul><ul><li>AS26780 </li></ul>18 18 Insert presenter logo here on slide master
    19. 19. McColo Visual Badware 19 19 Image courtesy of Washington Post: http://voices.washingtonpost.com/securityfix/2008/11/the_badness_that_was_mccolo.html Insert presenter logo here on slide master
    20. 20. What happened? <ul><li>Brian Krebs decided to write an article for the Washington Post... </li></ul><ul><ul><li>http://blog.washingtonpost.com/securityfix/ </li></ul></ul><ul><li>Dear McColo’s Peers... </li></ul><ul><ul><li>We can either make you look like bad guys in cahoots.. </li></ul></ul><ul><ul><li>Or you can disconnect McColo </li></ul></ul><ul><li>Guess which option they chose? </li></ul>20 20 Insert presenter logo here on slide master
    21. 21. Graph of spams/sec on our spamtrap 21 21 Insert presenter logo here on slide master
    22. 22. Which Botnets? <ul><li>Srizbi </li></ul><ul><li>Mega-D </li></ul><ul><li>RuStock </li></ul><ul><li>Asprox </li></ul><ul><li>Bobax </li></ul><ul><li>Gheg </li></ul><ul><li>That’s a LOT of IP space! </li></ul>22 22 Insert presenter logo here on slide master
    23. 23. Asprox <ul><li>100k IPs </li></ul><ul><li>Specifically built for phishing and SQL injection attacks </li></ul><ul><li>SQL injection used to infect legit sites for propagation </li></ul><ul><li>Dropped to less than 95% of “normal” levels within hours of McColo de-peering </li></ul><ul><li>Back to normal as of 2008-11-20 (but now dead for other reasons) </li></ul>23 23 Insert presenter logo here on slide master
    24. 24. Gheg <ul><li>500k IPs </li></ul><ul><li>Misidentified by almost all AV as Virtumonde/Mondera or Tofsee or Saturn Proxy (not a proxy) </li></ul><ul><li>Sending French spams and Pharma spams </li></ul><ul><li>Dropped to almost zero a few hours later </li></ul><ul><li>Currently still struggling along - about 60k IPs </li></ul>24 24 Insert presenter logo here on slide master
    25. 25. Srizbi <ul><li>1.3 million IPs </li></ul><ul><li>Kernel level SMTP engine </li></ul><ul><ul><li>Avoids software firewalls </li></ul></ul><ul><ul><li>VERY fast, scalable mail sender </li></ul></ul><ul><ul><li>Custom TCP stack </li></ul></ul><ul><li>50% of all spam </li></ul><ul><li>Reactor Mailer’s botnet </li></ul><ul><li>Completely died as a result </li></ul>25 25 Insert presenter logo here on slide master
    26. 26. Cutwail <ul><li>Had some C&C at McColo, but appears more distributed </li></ul><ul><li>Started sending even more spam than before - presumably “customers” switched from Srizbi to Cutwail </li></ul>26 26 Insert presenter logo here on slide master
    27. 27. Bobax <ul><li>Somewhat affected by the shutdown </li></ul><ul><li>Other shutdowns after McColo did more damage </li></ul><ul><li>Currently showing zero activity (though could be evading our detection) </li></ul>27 27 Insert presenter logo here on slide master
    28. 28. What happened next? <ul><li>McColo scramble to try and get new peering </li></ul><ul><li>Manage to catch Telia (AS1299) off guard at the weekend on 15th November (Saturday) late at night </li></ul><ul><li>Quick calls to management team were made </li></ul><ul><li>Interface goes down about 2:30pm Sunday </li></ul><ul><ul><li>Total of about 12 hours online </li></ul></ul><ul><li>Good news was: Only Rustock managed to update </li></ul>28 28 Insert presenter logo here on slide master
    29. 29. The McColo Effect 29 29 Insert presenter logo here on slide master
    30. 30. Pricewert/3FN <ul><li>FTC forced shutdown in early June 2009 </li></ul><ul><li>Another actively malicious hosting provider </li></ul><ul><li>Hosting some very small botnet C&Cs </li></ul><ul><li>Also hosting Cutwail </li></ul>30 30 Insert presenter logo here on slide master
    31. 31. Cutwail <ul><li>Currently about 600k IPs </li></ul><ul><li>In the past was the highest traffic botnet </li></ul><ul><li>Always listed in the top-3 spam-sending botnets throughout 2009 </li></ul><ul><li>Linked to the surge in Bredolab malware, and frequently linked to spoofed greetings card emails </li></ul><ul><li>Had C&C hosted on Pricewert </li></ul><ul><ul><li>Despite earlier lesson from the McColo shutdown </li></ul></ul>31 31 Insert presenter logo here on slide master
    32. 32. Cutwail Shutdown 32 32 Insert presenter logo here on slide master
    33. 33. Cutwail Shutdown - Recovery <ul><li>Sadly didn’t last </li></ul><ul><li>Shut down occurred late on a Friday </li></ul><ul><li>Fully recovered Monday morning </li></ul>33 33 Insert presenter logo here on slide master
    34. 34. The Current State of Botnets - end of 2009 34 34 Insert presenter logo here on slide master
    35. 35. The Current State of Botnets - end of 2009 % of total spam 35 35 Insert presenter logo here on slide master
    36. 36. Overall Effect of ISP Takedowns <ul><li>Botnet spam 2008: 90.2% </li></ul><ul><li>Botnet spam 2009: 83.4% </li></ul><ul><li>Spam volumes not decreased </li></ul><ul><ul><li>Many spammers took up “snowshoe” spamming - but that’s another talk </li></ul></ul><ul><li>And botnets evolved... </li></ul>36 36 Insert presenter logo here on slide master
    37. 37. Botnet Evolution They just won’t die!
    38. 38. What can the bots do? <ul><li>C&C IPs were hard coded in most botnets </li></ul><ul><ul><li>Some have backup domain names, but anti-spammers registered them all </li></ul></ul><ul><li>They needed to update their software </li></ul><ul><ul><li>Either: Wait for rogue ISPs to come back and issue an update from the C&C </li></ul></ul><ul><ul><li>Or: Re-infect all those PCs </li></ul></ul><ul><li>But update their software they did... </li></ul>38 38 Insert presenter logo here on slide master
    39. 39. The Cutwail (Pricewert) Shutdown <ul><li>2 days (of weekend - owners on vacation?) </li></ul><ul><li>Straight back to full volumes. How? </li></ul><ul><li>Botnet still hard codes IP addresses (faster, safer) </li></ul><ul><li>Has “backup” connections </li></ul><ul><li>Backup is cryptographically generated hostnames </li></ul><ul><li>Crypto changes every day </li></ul><ul><li>Owner then just registers DNS name if ISP goes down </li></ul>39 39 Insert presenter logo here on slide master
    40. 40. Weak Encryption <ul><li>Initial implementations used weak encryption algorithms </li></ul><ul><ul><li>Guessable by researchers </li></ul></ul><ul><ul><li>Fireeye temporarily halted Mega-D this way: </li></ul></ul><ul><ul><ul><li>ADMZJYDA.BIZ AJZPLRAKZUI.ORG ALFAHARPUN.ORG BLAGOINC.INFO DFCZNU9Q.BIZ GREATPUNNETT.COM HAKASIMQ.INFO HARMZOAKE.INFO HOTOPIKALAR.INFO IZTEP14MRKDE.INFO JOPITERAZANIA.NET MAMAFOBIKE.ORG MICRALOKP.BIZ MILFIFEZABOQ.ORG MIRAKLEGROUP.INFO MIREXINT.BIZ MKZYAJIUJOIQ.INFO NAYZIELZP.BIZ RAFFAELLOPAOLINO.NET SKILOPER.NET TYPIREW.ORG UPOYANSA.COM WIKIROCKSA.INFO YANKDREAM.INFO YOURWAYBASKETS.COM ZMCBY6VG.BIZ </li></ul></ul></ul>40 40 Registered all these domains
    41. 41. Forced Evolution <ul><li>Unfortunately playing this game evolves botnets </li></ul><ul><li>Improved encryption </li></ul><ul><li>Faster delivery using fewer nodes </li></ul><ul><li>Non-IRC based C&C communication </li></ul><ul><li>P2P C&C with auto-discovery of supernodes </li></ul>41 41 Insert presenter logo here on slide master
    42. 42. C&C Communication <ul><li>Most botnets used IRC in 2008 (Storm being the exception) </li></ul><ul><li>Now common to use HTTP </li></ul><ul><ul><li>Traverses firewalls better </li></ul></ul><ul><li>P2P still in infancy, but expect to see more </li></ul><ul><ul><li>Problem here is encoding access to the supernodes </li></ul></ul><ul><ul><li>Further problem is that algorithms are complex, open source code is easier </li></ul></ul><ul><ul><li>Using open source code => researchers can walk the network </li></ul></ul><ul><ul><li>Most have used eDonkey/Overnet system </li></ul></ul>42 42 Insert presenter logo here on slide master
    43. 43. Faster Delivery <ul><li>Early botnets would use Windows threads to send multiple messages </li></ul><ul><li>Newer botnets use I/O completion ports, async I/O strategy </li></ul><ul><li>Some even use custom TCP stacks (detectable via p0f based on unusual window sizes) </li></ul><ul><li>Result: Less nodes, more mail </li></ul><ul><ul><li>e.g. Grum: 307 mails/node/min vs Gheg: 22 mails/node/min </li></ul></ul>43 43 Insert presenter logo here on slide master
    44. 44. What Happens Next? And how do we stop these nasties? Insert presenter logo here on slide master
    45. 45. What happens next? <ul><li>Botnets will evolve. They have to. </li></ul><ul><li>LOTS of money is involved </li></ul><ul><ul><li>From a US LEO involved in Anti-Spam: </li></ul></ul><ul><ul><li>“ There’s more money in the spam economy than in the global drug trade” </li></ul></ul><ul><li>On the other hand, they don’t really need to </li></ul><ul><ul><li>Botnets work as they are today </li></ul></ul><ul><ul><li>Shutdowns don’t last forever - they are expensive </li></ul></ul><ul><ul><li>Too many rogue ISPs to take them all on </li></ul></ul><ul><ul><li>Migration offshore </li></ul></ul>45 45 Insert presenter logo here on slide master
    46. 46. What we’ll see more of... <ul><li>P2P communication </li></ul><ul><li>Public Key Encryption between bots and C&C </li></ul><ul><li>Higher performance on a per-node basis </li></ul><ul><li>More functionality </li></ul><ul><ul><li>Why stop at sending mail when you can connect to facebook, twitter, etc? </li></ul></ul><ul><ul><li>Combine in a keylogger and steal the user’s passwords too. </li></ul></ul>46 46 Insert presenter logo here on slide master
    47. 47. Supporting the current model <ul><li>Botnet owners will better monitor for C&C shutdown </li></ul><ul><li>Shutdown recovery time will shrink </li></ul><ul><li>Botnet downtime = lost revenue </li></ul>
    48. 48. How can this be stopped? <ul><li>Technology is not the answer </li></ul><ul><ul><li>It’s a part of the equation - required for pain relief </li></ul></ul><ul><li>Lawsuits and legal action is required </li></ul><ul><li>International collaboration </li></ul><ul><li>Funding </li></ul>
    49. 49. Conclusions Insert presenter logo here on slide master
    50. 50. How to apply this <ul><li>http://www.messagelabs.com/intelligence.aspx </li></ul><ul><li>Hosting Providers: </li></ul><ul><ul><li>Monitor sign-ups for “strange” activity or requests </li></ul></ul><ul><ul><li>Alert law enforcement </li></ul></ul><ul><ul><li>Monitor traffic for high numbers of inbound connections on non-HTTP ports </li></ul></ul><ul><li>End Users: </li></ul><ul><ul><li>Use an effective spam filtering provider </li></ul></ul><ul><ul><li>Keep anti-virus up to date </li></ul></ul><ul><ul><li>Use “safe browsing” techniques </li></ul></ul><ul><li>What we are doing: </li></ul><ul><ul><li>Monitoring latest techniques </li></ul></ul><ul><ul><li>Keep botnets blocked, and keep Law Enforcement informed </li></ul></ul>Insert presenter logo here on slide master

    ×