Embed Size (px)
Citation preview
Coordinated Distributions Coordinated Distributions Method for Tracking Method for Tracking
didiBotnetsBotnets Sending out Sending out SpamSpam
Andrey BakhmutovAndrey Bakhmutov
Kaspersky LabKaspersky [email protected] @ p y
BotnetsBotnets and spam distributionsand spam distributionspp
B t tB t t d di t ib ti l ld di t ib ti l lBotnetsBotnets and spam distributions are closely and spam distributions are closely tied together and benefit from each othertied together and benefit from each other
• Due to their immense size, combined withDue to their immense size, combined with dynamically changeable IP addresses, botnetsare a powerful tool for spam distribution.are a powerful tool for spam distribution.
Di t ib ti ith li i• Distributing spam messages with malicious content results in larger botnets.
Mail system Email
Analyzer
sources
Mail system Email
Analyzer
sources
50
Messages
20
3040
50
3000
10
5000 7000 9000 Size
Mail system Email
Analyzer
sources
50
Messages
203040
50
10
Size3000 5000 7000 9000
Mail system Email
Analyzer
sources
50
Messages
203040
50
3000
10
5000 7000 9000 Size
UDSMail
system Email UDS ServersAnalyzer sources
50
Messages
203040
50
3000
10
5000 7000 9000 Size
Statistical data and summary of resultsStatistical data and summary of resultsyy
• About 2000 active clients• 1.5 million IP addresses per dayp y• 120,000 (8%) IP addresses suitable for analysis• 40 000 IP addresses fall into botnet lists• 40,000 IP addresses fall into botnet lists• 4-5 botnets with 5,000-7,000 hosts and 10-15
b t t ith f h tbotnets with fewer hosts• Botnet regions: China, USA, Turkey, Russia
Regional distribution of the Regional distribution of the botnetbotnetgg
12
10
12
8
4
6
2
0
USA Turkey Italy GB Poland
Apr 21Apr 21
Distributions of the number of messages by sizeDistributions of the number of messages by size
300
62.106.49.4 (kone62494.ippnet.fi, FI, 1467) 75.88.172.171 (h171.172.88.75.dynamic.ip.windstream.net, US, 1483)
150
200
250
300
150
200
0
50
100
150
0
50
100
1000 3000 5000 7000 9000 11000
0
1000 3000 5000 7000 9000 11000
0
24.80.227.114 (s0106000f6636655d.vc.shawcable.net, CA, 1025) 78.186.149.168 (dsl78.186−38312.ttnet.net.tr, TR, 1129)
100
120
140
160
80
100
120
140
20
40
60
80
20
40
60
1000 3000 5000 7000 9000 11000
0
1000 3000 5000 7000 9000 11000
0
Jun 11Jun 11
Distributions of the number of messages by sizeDistributions of the number of messages by size
300
62.106.49.4 (kone62494.ippnet.fi, FI, 1467) 75.88.172.171 (h171.172.88.75.dynamic.ip.windstream.net, US, 1483)
150
200
250
300
150
200
0
50
100
150
0
50
100
1000 3000 5000 7000 9000 11000
0
1000 3000 5000 7000 9000 11000
0
24.80.227.114 (s0106000f6636655d.vc.shawcable.net, CA, 1025) 78.186.149.168 (dsl78.186−38312.ttnet.net.tr, TR, 1129)
100
120
140
160
80
100
120
140
20
40
60
80
20
40
60
1000 3000 5000 7000 9000 11000
0
1000 3000 5000 7000 9000 11000
0
Jun 11Jun 11
Distributions of the number of messages by sizeDistributions of the number of messages by size
80
88.147.229.21 (88.147.229.21, RU, 364)
40
50
60
70
0
10
20
30
1500 2000 2500 3000 3500 4000 4500
90
70.89.15.186 (70−89−15−186−jax−fl.hfc.comcastbusiness.net, US, 458)
50
60
70
80
90
0
10
20
30
40
1500 2000 2500 3000 3500 4000 4500
0
Jun 12 and Jun 15Jun 12 and Jun 15
Hourly Hourly botnetbotnet activityactivityyy yy
3500es 2500
3000
3500ad
dres
se
1500
2000
IP a
500
1000
hours0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
0
2008−04−21
2008−04−22
2008−04−23
2008 04 242008−04−24
Apr 21Apr 21--2424
Hourly Hourly botnetbotnet activityactivityyy yy
3000es
2500
3000ad
dres
se
1500
2000
IP a
500
1000
hours0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
0
2008−04−25
2008−04−28
2008−04−29
2008 04 302008−04−30
Apr 25Apr 25--3030
Hourly Hourly botnetbotnet activityactivityyy yy
3000es
2500
3000ad
dres
se
1500
2000
IP a
500
1000
hours0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
0
2008−07−01
2008−07−02
2008−07−03
2008 07 042008−07−04
Jul 1Jul 1--44
Hourly Hourly botnetbotnet activity, (another activity, (another botnetbotnet))yy y, (y, ( ))
400es
300
350
400ad
dres
se
150
200
250
IP a
50
100
150
hours0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
0
2008−07−01
2008−07−02
2008−07−03
2008 07 042008−07−04
Jul 1Jul 1--44
Hourly Hourly botnetbotnet activity vs. individual host activityactivity vs. individual host activity
3000
3500
ddre
sses
1500
2000
2500
3000
IP a
d
0
500
1000
1500
hours0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
0
160
12.154.2.146 (f2c146.gpcom.net, US, 1556)
sage
s
80
100
120
140
mes
s
0
20
40
60
80
hours0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
0
Apr 21Apr 21
Distributions of the number of messages by timeDistributions of the number of messages by time
160
12.154.2.146 (f2c146.gpcom.net, US, 1556)
sage
s
80
100
120
140m
es
0
20
40
60
hours0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
0
141.157.62.11 (pool−141−157−62−11.balt.east.verizon.net, US, 976)
ages
60
80
100
mes
sa
20
40
60
hours0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
0
Apr 21Apr 21
Distributions of the number of messages by timeDistributions of the number of messages by time
160
12.154.2.146 (f2c146.gpcom.net, US, 1556)
sage
s
80
100
120
140m
es
0
20
40
60
hours0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
0
80
84.123.68.31 (84.123.68.31.dyn.user.ono.com, ES, 836)
ages 50
60
70
80
mes
sa
10
20
30
40
hours0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
0
Apr 21 and Jul 2Apr 21 and Jul 2
Pros and ConsPros and Cons
ProsPros• Independence from bot implementations and botnet
control infrastructure protocols• Simple implementation, especially on the client side• Low maintenance cost: once implemented, the system p y
does not require much human intervention
ConsConsConsCons• The need to gather a large quantity of statistical
information from many sourcesinformation from many sources• Inability to block a botnet until enough statistical
information is gatheredinformation is gathered
THANK YOUTHANK YOU
Andrey BakhmutovAndrey BakhmutovAndrey BakhmutovAndrey Bakhmutov
Kaspersky LabKaspersky [email protected]
