• Home

  • Documents

  • Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing...
9
Spam Sinkholing Nick Feamster

Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely

Embed Size (px)

Citation preview

Page 1: Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely

Spam Sinkholing

Nick Feamster

Page 2: Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely

Introduction

• Goal: Identify bots (and botnets) by observing second-order effects– Observe “application” behavior that’s likely to contain

bot activity (spam is a good candidate: > 85% of spam coming from bots as of 4Q 2005)

• Advantages: – Direct observation of behavior– Potentially very wide lens– Passive

• Disadvantage: No ground truth

Page 3: Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely

Spam Collection Overview

• Trap mail sent to “dead” domains

• Log IPs

• Perform active and passive measurements– Traceroute– Passive SYN fingerprints– DNSBL lookups, etc.

Page 4: Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely

Data Collection Overview

Mail Avenger

sendmail

Spammer

Spammer

Spammer

DNS

MX lookupsResolve to sinkhole Blowtorch (GTISC)

dynamorsync

(schema on wiki)

O(100k) pieces of spam per week

Hundreds of domains

Page 5: Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely

Sample Mail Avenger Header

Highly configurable SMTP server that collects many useful statistics

Page 6: Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely

Database Schema Sample

CREATE TABLE spamtrap_email ( entrytime timestamp with timezone default NULL, trap_domain text default NULL, client_ip ip4 default NULL, client_port smallint default NULL, traceroute_time timestamp with timezone default NULL, to_ text default NULL, delivered_to text default NULL, subject text default NULL, xmailer text default NULL, from_ text default NULL, emailid serial default NULL, FOREIGN KEY(dnsbl_id) on spamtrap_dnsbl(dnsbl_id),

) tablespace dataspace;

Page 7: Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely

Uses for Data

• Identification: Low-confidence list of likely bot IPs

• Bootstrapping: Use as a starter set for some “intractable” analysis problems– Use this low-confidence list to prune DNSBL graph mining– Feed this information back to ISPs to focus mining

• Second-order effects– Analysis of hosting sites for URLs– Clustering

Page 8: Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely

Analysis Within Spam Dataset

• Clustering to identify groups (coordination suggests likely bot)– Temporal-based correlation– Content-based correlation

• Based on URLs

• Analysis of hosting URLs: Perhaps useful for identifying phishing sites– Where hosted?– Transience?

Page 9: Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely

Correlation: Across Datasets

• DNSBL datasets require bootstrapping– As per SRUTI paper– Use spam dataset as a graph pruning mechanism

• Possibility: Use spam sinkhole as a source for malware. Strip attachments.– Likely already being done by lots of others

• Get information about exfiltration email addresses and domains from binary analysis– Look for those appearing in sinkhole to build confidence and

monitor ongoing activity


Comments made in the year 1955! Thats only 55 years ago! Thats only 55 years ago!

Comments made in the year 1955! Thats only 55 years ago! Thats only 55 years ago!

Documents
Lesson 5 Thats a Negative

Lesson 5 Thats a Negative

Documents
Thats a Better Ideia

Thats a Better Ideia

Documents
Thats Wild (24 Wild Ones)

Thats Wild (24 Wild Ones)

Entertainment & Humor
dg thats earl brother_20110830134550.pdf

dg thats earl brother_20110830134550.pdf

Documents
NOW THATS NEWSWORTHY #1

NOW THATS NEWSWORTHY #1

Documents
Ramirez Thats My Place

Ramirez Thats My Place

Documents
Thats when i love you

Thats when i love you

Technology
Nick Feamster

Nick Feamster

Documents
Network Security Problems Nick Feamster feamster@cc.gatech.edu

Network Security Problems Nick Feamster [email protected]

Documents
Thats How Young I Feel

Thats How Young I Feel

Documents
Thats Gay Paris Guion

Thats Gay Paris Guion

Documents
Filtering: Sharpening Both Sides of the Double-Edged Sword Prof. Nick Feamster Georgia Tech feamster cc.gatech.edu

Filtering: Sharpening Both Sides of the Double-Edged Sword Prof. Nick Feamster Georgia Tech feamster cc.gatech.edu

Documents
The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets

The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets

Documents
jeff& thats it

jeff& thats it

Sports
All Thats Known

All Thats Known

Documents
Thats life coaching

Thats life coaching

Documents
Enchanted-Thats How You Know

Enchanted-Thats How You Know

Documents
thats us....our life

thats us....our life

Art & Photos
E12 Thats My King

E12 Thats My King

Spiritual
Davis - 1971 - Thats Interesting

Davis - 1971 - Thats Interesting

Documents
Nick Feamster Princeton University

Nick Feamster Princeton University

Documents
Peñafrancia and thats it

Peñafrancia and thats it

Documents
COCKTAIL MENU - Shaker & Company · joy thats shared is a joy thats doubled, a ers cocktail thats shared is a price thats halved “ At the Movies 6 people - Toffee - A little treat

COCKTAIL MENU - Shaker & Company · joy thats shared is a joy thats doubled, a ers cocktail thats shared is a price thats halved “ At the Movies 6 people - Toffee - A little treat

Documents
Sinkholing Botnets

Sinkholing Botnets

Documents
Internet Availability Nick Feamster Georgia Tech

Internet Availability Nick Feamster Georgia Tech

Documents
Thats God1

Thats God1

Documents
Thats Laughs 1

Thats Laughs 1

Documents
Thats my train

Thats my train

Documents
Thats English Modulo4

Thats English Modulo4

Documents