RSA Conference 2010
Lessons in Botnets: The After-effects of ISP Takedowns
Alex Shipp
Symantec Hosted Services
Session ID: HT1-202
Session Classification: Advanced
The takedown of four major ISPs over the past year has offered deep insight into spamming behavior and the life expectancy of some of the most powerful botnets ever known. With the demise of Intercage, McColo, Pricewert and Real Host, spam levels dropped to some of the lowest levels ever seen, but then quickly rose again in varying capacities. What have we learned about botnets from these landmark events and how can we use this intelligence to better track and defeat them?
RSA2010: Alex Shipp - Lessons in Botnets: The After-effects of ISP Takedowns
1. Lessons in Botnets: The After-effects of ISP Takedowns Alex Shipp Symantec Hosted Services Session ID: HT1-202 Session Classification: Advanced Insert presenter logo here on slide master
2. AGENDA 2 Insert presenter logo here on slide master Brief History of Spamming ISP Takedowns Botnet Evolution What happens next?
3. 3 A Brief History How spammers have changed over time 7 Insert presenter logo here on slide master
4. Spam Volume History 4 MessageLabs Intelligence Insert presenter logo here on slide master
5. Spamming Circa 2002 - Work from home! 5 Insert presenter logo here on slide master
6.
7.
8. Example Spammer Tool - SendSafe Mailer 8 8 Insert presenter logo here on slide master
9.
10.
11. Where are we now? 11 11 Insert presenter logo here on slide master
12.
13. ISP Takedowns The effect of removing rogue ISPs Insert presenter logo here on slide master
14.
15.
16.
17.
18.
19. McColo Visual Badware 19 19 Image courtesy of Washington Post: http://voices.washingtonpost.com/securityfix/2008/11/the_badness_that_was_mccolo.html Insert presenter logo here on slide master
20.
21. Graph of spams/sec on our spamtrap 21 21 Insert presenter logo here on slide master
The takedown of four major ISPs over the past year has offered deep insight into spamming behavior and the life expectancy of some of the most powerful botnets ever known. With the demise of Intercage, McColo, Pricewert and Real Host, spam levels dropped to some of the lowest levels ever seen, but then quickly rose again in varying capacities. What have we learned about botnets from these landmark events and how can we use this intelligence to better track and defeat them?
e.g. registering domain names was expensive when it got into the tens of names.