Bots Used to Facilitate SpamBots Used to Facilitate Spam

Matt Ziemniak

OutlineOutline

• Discuss Snort lab improvements• Spam as a vehicle behind cyber threats• Bots and botnets• What can be done

Lab ImprovementsLab Improvements

• Build more complex rules

• Provide more interaction with snort.conf file and installation

• Explain how snort works in real-world setting

• Make both labs snort-related

Cyber-related CrimesCyber-related Crimes

• Phishing

• Spyware

• Nigerian scams

• Child pornography

Why Spam is an IssueWhy Spam is an Issue

• Loss of employee production

• Money spent on hardware/software

• Dissemination of viruses, spyware, and phishing schemes

Spam- Distribution in the Spam- Distribution in the PastPast

• Open relay mail servers

• Open HTTP proxies

• Worms/mass mailers

Spam- A Better MethodSpam- A Better Method

• Find a way to automate the spamming process while remaining anonymous

What is a BotWhat is a Bot

• Short for robot. A computer program that performs a function such as forwarding e-mail, responding to newsgroup messages, or searching for information.

Source: http://www.computeruser.com/resources/dictionary

Common uses for a BotCommon uses for a Bot

• Web crawlers/search agents

• Interacting with online games

• Monitoring IRC channels

Only limited by imagination

Malicious BotsMalicious Bots

• Keylogging• Denial-of-Service Attacks• Identity Theft (hosting spoofed websites)• Spread malware

GENERATE SPAM!GENERATE SPAM!

Types of BotsTypes of Bots

• Internet Relay Chat (IRC)

• Hyper-Text Transfer Protocol (HTTP)

• P2P (Peer-to-Peer file sharing)

What is IRCWhat is IRC

• An online system that allows real-time communications

• Consists of an IRC server and an IRC client; the connection between the two is called a channel

• Members join chat rooms to discuss various topics (may be password protected)

• Can be used for file sharing

IRC BotsIRC Bots

• Program that interacts with an IRC server in an automated fashion

• Typically used to monitor a channel when an individual is away from the computer

• Can be modified by anyone with programming skills (C++, PERL, DELPHI )

• IRC has its own scripting language

From Bots to BotnetsFrom Bots to Botnets• An individual gains control of many bots that

reside on different users’ computers• Controlled by a “bot master” who uses a

command/control• The bots connect to the IRC server and wait for

commands from the bot master

Bot Master

Bot Bot Bot

HTTP BotsHTTP Bots

• Commonly used to generate spam• User typically visits website and downloads a trojan or

other piece of malware• Connection is made to a web server operated by a

bot master• More software is downloaded onto user’s computer

HTTP Botnet InfectionHTTP Botnet Infection

Browser Exploit Trojan

Download

Bot ClientDownloaded

Methods to spamMethods to spam

• Use compromised computer as spam proxy

• Use compromised computer as mail relay

• Obtain email addresses from compromised computer (harvesting)

Difficult to Trace OriginDifficult to Trace Origin

• HTTP redirects• Path to actual site leads to IP’s across different

countries (bouncing)• Compromised proxies don’t log connections• Tank farms act like middlemen by pushing the

spam through proxies

Growing ConcernGrowing Concern

• "At the end of last year we knew of about 2,000 botnets. Towards the end of this year, we're looking at about 300,000,".

Source: Jesse Villa, Frontbridge Technologies http://www.pcworldmalta.com/specials/yearend04/goodandbad.htm.

Importance of ResearchImportance of Research

• Gathering intelligence regarding botnet activity

• Use tools such as honeypots, intrusion detection systems, packet sniffers

• Perform trends analysis on data, source information, log files (firewall and IDS)

How Industry can HelpHow Industry can Help

• Educate employees• Increase security measures• Develop security products

• Share information and resources

QuestionsQuestions