Host-based Botnet Detection - MIT CSAIL

Host-based Botnet Detection - MIT CSAIL

BOTNET-GENERATED SPAM By Areej Al-Bataineh University of Texas at San Antonio MIT Spam Conference 2009 www.securitycartoon.com 3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 2 Botnets: A Global Pandemic Botnet is a network of compromised machines (Bots) under the command and control (C&C) of one person (master) Machines become infected when users click on email attachments or URLs, visit malicious/legitimate web sites, or install software from untrusted sources C&C protocols include IRC, HTTP, P2P Botnets used for attacks like DDoS, spamming, phishing,

identity theft, etc According Panda Labs, in 2Q 2008, 10 million bot computers were used to distribute spam and malware across the Internet each day 3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 3 Botnets are mostly used for spamming! According to Marshals TRACE center : In the 1Q of 2008, about 85% of spam is generated by 6 Botnets: Mega-D, Srizbi, Storm, Pushdo, Rustock, Cutwail. According to Symantecs Message Labs Intelligence: The McColo ISP shutdown

3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 4 Questions How does a typical spamming botnet work? How do botnets transmit spam? What can be done to make it nearly impossible for botnets to deliver spam? What tools and policies can be utilized at network edges? What tools and policies can be utilized at mail servers? 3/27/2009 Areej Al-Bataineh - Botnet-generated Spam

5 Spamming Botnet Spammer Email templates Email lists DNS MX records Binary updates Botnet Master Control Servers 3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 6

Questions How does a typical spamming botnet work? How do botnets transmit spam? What can be done to make it nearly impossible for botnets to deliver spam? What tools and policies can be utilized at network edges? What tools and policies can be utilized at mail servers? 3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 7 Email Transmission Alice Bob

MUA MUA MTA 3/27/2009 Areej Al-Bataineh - Botnet-generated Spam MX Server 8 Spam Transmission 1 Spambot Open Relay Victim

MUA MUA Relay Server MX Server Spambot composes message according to the given template Spambot forwards email to an open relay server Mail server relays email to recipient mail server 3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 9 Spam Transmission 2 Spambot Open Proxy

Victim MUA Proxy Client Proxy Server MX Server Spambot initiate a proxy connection (HTTP/SOCKS) Proxy server forwards email traffic to a mail server 3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 10 Spam Transmission 3 Spambot

ProxyLock Victim MUA Proxy Client MX Server Proxy Server MX Server Spambot initiate a proxy connection (HTTP/SOCKS) Proxy server forwards email traffic through mail server of its own domain 3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 11 Spam Transmission 4 Direct-To-MX

Victim Spambot MUA MUA+MTA MX Server Spambot initiate SMTP connection with recipient mail server 3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 12 Questions How does a typical spamming botnet work? How do botnets transmit spam? What can be done to make it nearly impossible for botnets to deliver spam?

What tools and policies can be utilized at network edges? What tools and policies can be utilized at mail servers? 3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 13 Spam Control Message Transmission Path MTA 3/27/2009 Router Router

Areej Al-Bataineh - Botnet-generated Spam MX Server 14 Questions How does a typical spamming botnet work? How do botnets transmit spam? What can be done to make it nearly impossible for botnets to deliver spam? What tools and policies can be utilized at network edges? What tools and policies can be utilized at mail servers? 3/27/2009 Areej Al-Bataineh - Botnet-generated Spam

15 Egress Spam control at Routers 1. Manage port 25 traffic (MAAWG 2008) Block mail traffic except from designated servers In some networks, this cannot be adopted!! 2. Monitor DNS queries (Romana et al. 2008) Identify spambots within a network based on their frequent DNS queries for MX records Some botnets maintains DB for MX records 3. DBSpam (Xie et al. 2006) Block/throttle spam laundry traffic Discover proxy bots inside the network

Detect proxy traffic, not regular spam traffic 3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 16 Ingress Spam Control at Routers 1. Local and dynamic Blacklists (Cook et al. 2006) Identify IPs of spambots based on spam filters Keep IPs in blacklists for a chosen period of time Spambots have dynamic IP addresses 2. Spam streams classification (Argawal et al. 2005) Identify bulk email streams based on message similarities Classify them as spam using a Bayesian classifier

Template-based spam messages do not look similar 3. SpamFlow (Beverly & Sollins 2008) Identify distinguishing features of spam TCP flows (RTT, idle, FIN) Use machine learning classifier trained on open relay MTA mail connections Choosing the right features is key 3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 17 Summary Control at Routers Directi Effect on

Block email traffic from In locally-blacklisted sources Method Cook Argawal In Detect bulk spam traffic SpamFlow In Detect spam TCP flows Manage 25 Romana DBSpam

3/27/2009 Port Out Out Drop email traffic except from legitimate outbound servers Detect spambots DNS MX queries In/Out Block/Throttle proxy traffic Areej Al-Bataineh - Botnet-generated Spam 18 Questions How does a typical spamming botnet work? How do botnets transmit spam? What can be done to make it nearly impossible

for botnets to deliver spam? What tools and policies can be utilized at network edges? What tools and policies can be utilized at mail servers? 3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 19 Spam Control at MTAs 1. Email forwarding best practices Specify inbound/outbound mail servers Different port number (not 25) and user authentication

spambot knows the port # and the user credentials 2. SMTP transaction Delay 3/27/2009 Impose delay on suspicious requests Suspicion based on SMTP RFCs compliance checks This delay will not affect spambots Areej Al-Bataineh - Botnet-generated Spam 20 Incoming Spam Control 1. Source IP address checking

Authorized mail server (SPF, DKIM, Sender ID) Spambots domain may not have such DNS records Blacklists 35% of spam comes from sources not listed in any blacklist 2. Greylisting Refuse first delivery attempt, accept the second one Spambots can adapt and include this feature 3. SMTP session abort 3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 21 Summary Spam Control at Servers Method Reject open

relays Forwarding best practices SMTP delay Source IP checking Greylisting SMTP abort 3/27/2009 Directi Effect on In/Out Out Block open relay attempts Drop email from unauthorized users Delay spam and reduce its

In volume Drop email from untrusted In servers Refuse delivery attempts In by untrusted sources Refuse delivery attempts In from known suspicious 22 Areej Al-Bataineh - Botnet-generated sources Spam Review Anti-spam is improving, but Why the spam volume is not decreasing? Answer: Botnets Efficient Generation Guaranteed Delivery

Solutions: Spam control at Routers or network edges Mail servers 3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 23 Conclusions Botnet-generated spam: Brings out new challenges Opens new directions for solutions Intercepting spam while in transit is crucial New solutions should consider the nature of botnet-generated spam: Distributed Anonymous

3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 24 Questions? Comments? Ideas? [email protected] 3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 25 Extra Slides 3/27/2009 Areej Al-Bataineh - Botnet-generated Spam

26 Experiments For each of the top spam botnet Get a binary Analyze it with CWSandbox Analyze packet trace manually Describe delivery method used 3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 27 Top Spam Botnets Botnet Cutwail Pandex, Mutant (related to: Wigon, Pushdo)

Rustock RKRustok, Costrat, Meredrop DonBot Bachsoy Ozdok Mega-D XarVester Rlsloup, RUcrzy Grum Tedroo Cheg Tosfee CimBot Unknown Waledac Waled 3/27/2009 size 175,000

Control HTTP with encryption, multiple TCP ports Rootkit Yes 130,000 HTTP with encryption, TCP port 80 Yes 125,000 120,000 Custom protocol on high No TCP port encrypted, TCP port 443 No

60,000 HTTP on high ports Yes 50,000 HTTP on TCP port 80 Yes 50,000 Encrypted on TCP ports No 443 and 533 encrypted, TCP ports 80 No and 443 AES and RSA-encrypted, No encapsulated in HTTP 10,000

10,000 Areej Al-Bataineh - Botnet-generated Spam SMTP engine Template based A from-scratch rewrite of Storm 28 Botnet Activity Adopted from Damballas website on March 24th, 0 3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 29

Recently Viewed Presentations

  • mmevirahsammy.weebly.com

    mmevirahsammy.weebly.com

    b. Indiquer le nombre approximatif d'habitants et la composition de la population au lendemain de l'Acte constitutionnel : une population d'environ 160 000 habitants, composée majoritairement de Canadiens, d'une minorité de Britanniques, d'une population d'Amérindiens et de Noirs, des Amérindiens...
  • Reactions of Metals Properties of metals: - Shiny

    Reactions of Metals Properties of metals: - Shiny

    Naming Salts: First part - use the . metal name . from the metal compound. Second part - the . acid . determines this. Hydrochloric acid. chloride. Reactions with water: Metal + water metal hydroxide + hydrogen. Reactions with oxygen:...
  • Sample Exercise 11.1 Identifying Substances That Can Form

    Sample Exercise 11.1 Identifying Substances That Can Form

    It is marked point 3 in the phase diagram and located at approximately -80 °C and 50 atm. (b) The triple point is the point where the solid, liquid, and gaseous phases coexist. It is marked point 1 in the...
  • Animal Farm

    Animal Farm

    Animal Farm . to expose the corruption of Russian Communism and affirm his ideal version of socialism. Later, wrote dystopian novel, 1984, depicting an even bleaker outlook than . Animal Farm. Orwell's objective to destroy "man's dominion over man" was...
  • Finite Difference Solutions to the ADE Simplest form

    Finite Difference Solutions to the ADE Simplest form

    Finite Difference Solutions to the ADE Simplest form of the ADE Even Simpler form Plug Flow Plug Source Flow Equation Effect of Numerical Errors (overshoot) (MT3DMS manual) (See Zheng & Bennett, p. 174-181) v j-1 j j+1 x x Explicit...
  • Forest Hill C.I. Guidance Department Whats Next After

    Forest Hill C.I. Guidance Department Whats Next After

    May Offers of Admission End of January/Beginning of February Conditional offer based on Gr.11 and Gr. 12 courses already completed and 2017-2018 courses in which student is enrolled Very limited number of offers No refusals at this time Offers of...
  • SEM 2008 Closing Seminar: Experienced SEM Professionals Discussion

    SEM 2008 Closing Seminar: Experienced SEM Professionals Discussion

    In contrast, Biological Sciences, Social Sciences, and Health Professions have been gaining in popularity since the 1980's. The eight fields shown above accounted for 64.1% of intended majors in 1976-77, and 69.1% in 2006-07. Sources: Alexander W. Astin, Leticia Oseguera,...
  • FAR EASTSPLENDOR Please F5 key to view the

    FAR EASTSPLENDOR Please F5 key to view the

    Overnight stay at the hotel at Jaipur. Day 09 Jaipur-Agra In the morning drive to Mughal City of Agra & check into hotel. Afternoon visit to the Agra Fort, built by the great emperor Akbar. Proceed to the Taj Mahal,...