Spampots Project First Results of the International Phase and its Regional Utilization

Similar documents
Spampots Project Mapping the Abuse of Internet Infrastructure by Spammers

Use of Honeypots for Network Monitoring and Situational Awareness

honeytarg Chapter Activities

CERT.br Incident Handling and Network Monitoring Activities

Monitoring the Abuse of Open Proxies for Sending Spam

SpamPots Project: Using Honeypots to Measure the Abuse of End-User Machines to Send Spam

Preventing your Network from Being Abused by Spammers

Development of an IPv6 Honeypot

Information Security Awareness Videos

A Multistakeholder Effort to Reduce Spam The Case of Brazil

The Global ecrime Outlook CERT.br National Report

DNS Amplification Attacks as a DDoS Tool and Mitigation Techniques

Challenges and Best Practices in Fighting Financial Fraud in Brazil

Incident Handling in Brazil

Phishing and Banking Trojan Cases Affecting Brazil

CERT.br: Mission and Services

Cybersecurity and Incident Response Initiatives: Brazil and Americas

Distributed Honeypots Project: How It s Being Useful for CERT.br

The Importance of a Multistakeholder Approach to Cybersecurity Effectiveness

LACNIC 25 CSIRTs Meeting Havana, Cuba May 4 th, 2016

A Campaign-based Characterization of Spamming Strategies

Incident Handling and Internet Security in Brazil

Incident Response and Early Warning Initiatives in Brazil

Evolution of Financial Fraud in Brazil

Fraud and Phishing Scam Response Arrangements in Brazil

SPAM: 101 Cause and Effect

The Brazilian Internet Steering Committee CGI.br Internet Governance Model in Brazil

About Botnet, and the influence that Botnet gives to broadband ISP

Spamming Chains: A New Way of Understanding Spammer Behavior

CYBEROAM UTM s. Outbound Spam Protection Subscription for Service Providers. Securing You. Our Products.

When Reputation is Not Enough: Barracuda Spam Firewall Predictive Sender Profiling. White Paper

When Reputation is Not Enough: Barracuda Spam & Virus Firewall Predictive Sender Profiling

Phishing Activity Trends

Proxy Blocking: Preventing Tunnels Around Your Web Filter. Information Paper August 2009

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

Unknown threats in Sweden. Study publication August 27, 2014

Phone Fax

When Reputation is Not Enough. Barracuda Security Gateway s Predictive Sender Profiling. White Paper

Phishing Activity Trends Report June, 2006

Intercept Anti-Spam Quick Start Guide

Discovering Campaign Based Spamming Strategies

Using Security to Protect Against Phishing, Spam, and Targeted Attacks: Combining Features for Higher Education

Copyright 2011 Sophos Ltd. Copyright strictly reserved. These materials are not to be reproduced, either in whole or in part, without permissions.

Internet Governance and Regulation in ICLAC - A Review

Phishing Activity Trends Report for the Month of December, 2007

Security Incidents And Trends In Croatia. Domagoj Klasić

SonicWALL Security Quick Start Guide. Version 4.6

Who will win the battle - Spammers or Service Providers?

4 Messaging Technology

BEST PRACTICES FOR LOCAL MULTISTAKEHOLDER INTERNET GOVERNANCE STRUCTURES. Hartmut Richard Glaser Executive-Secretary of CGI.br

The anatomy of an online banking fraud

F-Secure Messaging Security Gateway. Deployment Guide

Ram Dantu. VOIP: Are We Secured?

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Simplicity Value Documentation 3.5/5 5/5 4.5/5 Functionality Performance Overall 4/5 4.5/5 86%

The Leading Security Suites

Web Analytics Understand your web visitors without web logs or page tags and keep all your data inside your firewall.

Configuration Information

Services Deployment. Administrator Guide

Emerging Trends in Fighting Spam

Innovations in Network Security

Towards Automated Botnet Detection and Mitigation

Communications and Information Technology Commission. Suggested SPAM Monitoring Framework for CITC

CALNET 3 Category 7 Network Based Management Security. Table of Contents

Transforming the Telecoms Business using Big Data and Analytics

How To Integrate Hosted Security With Office 365 And Microsoft Mail Flow Security With Microsoft Security (Hes)

DDoS Attacks Can Take Down Your Online Services

CITADEL TROJAN OUTGROWING ITS ZEUS ORIGINS

How to Stop Spam s and Bounces

APPLICATION PROGRAMMING INTERFACE

CSC474: Network Security

Scaling Big Data Mining Infrastructure: The Smart Protection Network Experience

SPAM FILTER Service Data Sheet

Using big data analytics to identify malicious content: a case study on spam s

SR B17. The Threat Landscape Continues to Change: How are You Keeping Pace? Dean Turner

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

On and off premises technologies Which is best for you?

December 2010 Report #48

Kaspersky Security 8.0 for Microsoft Exchange Servers Administrator s Guide

Sophos for Microsoft SharePoint startup guide

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information.

Configuration Information

AVG AntiVirus. How does this benefit you?

One Minute in Cyber Security

The Growing Problem of Outbound Spam

Fighting Advanced Threats

Trend Micro, Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team

Vodafone New Zealand Microsoft Privacy Statement Dated: August 2013

The HoneyNet Project Scan Of The Month Scan 27

A Guide to New Features in Propalms OneGate 4.0

China s Anti-Spam Works

WHAT S NEW IN WEBSENSE TRITON RELEASE 7.8

McAfee Next Generation Firewall (NGFW) Administration Course

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013

The Latest Internet Threats to Affect Your Organisation. Tom Gillis SVP Worldwide Marketing IronPort Systems, Inc.

Quick Start Guide Managing Your Domain

Alexandr Golubev ( RENAM Association

MXSweep Hosted Protection

Malicious Network Traffic Analysis

Transcription:

Spampots Project First Results of the International Phase and its Regional Utilization Klaus Steding-Jessen jessen@cert.br LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 1/31 CERT.br Computer Emergency Response Team Brazil NIC.br Network Information Center Brazil CGI.br Brazilian Internet Steering Committee

About CERT.br Created in 1997 as the national focal point to handle computer security incident reports and activities related to networks connected to the Internet in Brazil. http://www.cert.br/mission.html LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 2/31

Our Parent Organization: CGI.br Among the diverse responsibilities of The Brazilian Internet Steering Committee CGI.br, the main attributions are: to propose policies and procedures related to the regulation of the Internet activities to recommend standards for technical and operational procedures to establish strategic directives related to the use and development of Internet in Brazil to promote studies and technical standards for the network and services security in the country to coordinate the allocation of Internet addresses (IPs) and the registration of domain names using <.br> to collect, organize and disseminate information on Internet services, including indicators and statistics LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 3/31

CGI.br/NIC.br Structure 01- Ministry of Science and Technology 02- Ministry of Communications 03- Presidential Cabinet 04- Ministry of Defense 05- Ministry of Development, Industry and Foreign Trade 06- Ministry of Planning, Budget and Management 07- National Telecommunications Agency 08- National Council of Scientific and Technological Development 09- National Forum of Estate Science and Technology Secretaries 10- Internet Expert LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 4/31 11- Internet Service Providers 12- Telecom Infrastructure Providers 13- Hardware and Software Industries 14- General Business Sector Users 15- Non-governamental Entity 16- Non-governamental Entity 17- Non-governamental Entity 18- Non-governamental Entity 19- Academia 20- Academia 21- Academia

Agenda SpamPots Project Objectives Architecture Overview New Developments Partners/Members Portal Mining Spam Campaigns Ongoing Work LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 5/31

SpamPots Project Objectives Better understand the abuse of the Internet infrastructure by spammers measure the problem from a different point of view: abuse of infrastructure X spams received at the destination Help develop the spam characterization research Measure the abuse of end-user machines to send spam Use the spam collected to improve antispam filters Develop better ways to identify phishing and malware identify botnets via the abuse of open proxies and relays LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 6/31

SpamPots Project Objectives (cont.) Improving cooperation in spam fighting Provide data to trusted parties help the constituency to identify infected machines identify malware and scams targeting their constituency Sensors at: AU, AT, BR, CL, NL, TW, US and UY Coming soon: AE, AR, EC, MY and another in US LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 7/31

Architecture Overview Spammers, bots malware, etc Honeypots emulating open proxies and open relays Data Collection: Data Analysis: Collects all data periodically; Checks honeypots status. Data mining process; Generate analysis based on spam content. Storage Storage Members Portal: Statistics; Global distribution of spam campaings; Sample e mails, URLs, etc. Data Warehouse LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 8/31

New Developments Data capture and collection software rewritten: spamsinkd non-forking multi-threaded event based design using POE framework collect more details about each message store messages in mbox format IPv6 ready spamtestd faster response more control over responses to test messages better data storage design better disk usage facilitate data donation facilitate archival LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 9/31

Case Study IP from Nigeria abuse SOCKS Proxy in Brazil connects at an ISP in Germany to authenticate with a stolen credential to send a phishing to.uk victims with a link to a phony Egg bank site using a South Africa domain hosted at an IP address allocated to UK s largest web hosting company based in Gloucester LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 10/31

Case Study (cont.) From: "Egg Bank Plc"<onlinesecure@egg.com> Subject: Online Banking Secure Message Alert! Date: Mon, 19 Apr 2010 14:46:29 +0100 X-SMTP-Proto: ESMTPA X-Ehlo: user X-Mail-From: onlinesecure@egg.com X-Rcpt-To: <victim1>@yahoo.co.uk X-Rcpt-To: <victim2>@yahoo.com X-Rcpt-To: <victim3>@yahoo.co.uk X-Rcpt-To: <victim4>@hotmail.co.uk (...) X-Rcpt-To: <victimn>@aol.com LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 11/31

Case Study (cont.) X-Sensor-Dstport: 1080 X-Src-Proto: SOCKS 5 X-Src-IP: 41.155.50.138 X-Src-Hostname: dial-pool50.lg.starcomms.net X-Src-ASN: 33776 X-Src-OS: unknown X-Src-RIR: afrinic X-Src-CC: NG X-Src-Dnsbl: zen=pbl (Spamhaus) X-Dst-IP: 195.4.92.9 X-Dst-Hostname: virtual0.mx.freenet.de X-Dst-ASN: 5430 X-Dst-Dstport: 25 X-Dst-RIR: ripencc X-Dst-CC: DE LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 12/31

Case Study (cont.) <table width="561"> <tbody><tr><td><br><font face="arial" size="2"> You have 1 new Security Message Alert! <br><br> Log In into your account to review the new credit limit terms and conditions..<br> </font><p><font face="arial" size="2"><br><font face="arial"> </font></font><font face="arial"><a rel="nofollow" target="_blank" href="http://www.mosaic.org.za/images/index.html"> Click here to Log In</a></font></p> <font face="arial"> </font><font face="arial" size="2"> </font><p><font face="arial" size="2"><br><br> Egg bank Online Service<br> </font></p> <font face="arial" size="2"> </font><hr> <font face="arial" size="2"> <font color="999999" size="1"> Egg bank Security Department</font></font></td></tr></tbody></table> LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 13/31

Case Study (cont.) LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 14/31

Partners/Members Area LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 15/31

Partners/Members Home LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 16/31

Statistics last 15 minutes LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 17/31

Statistics last 15 minutes Country Codes LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 18/31

Statistics last 15 minutes ASes LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 19/31

Statistics last 15 minutes ports LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 20/31

Statistics last 15 minutes CIDRs LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 21/31

Statistics last 15 minutes IPs LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 22/31

Statistics MRTG LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 23/31

Statistics Country Codes Daily LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 24/31

LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 25/31 Mining Spam Campaigns

Motivation Spampots collect a huge volume of spams (4+ million spams/day) How to make sense of all this data? Data Mining! Cluster spam messages into Spam Campaigns to isolate the traffic associated to each spammer Correlate spam campaign attributes to unveil different spamming strategies Data Mining research conducted by the e-speed Lab, DCC/UFMG LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 26/31

The Pattern Tree Approach Features are extracted from spam messages (subject, URLs, layout etc) We organize them hierarquically inserting more frequent features on the top levels of the tree Campaigns delimited by sequence of invariants LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 27/31

Pajek Pajek Data reduction The Pattern Tree grouped 350M spam messages into 60K spam campaigns; Obfuscation patterns are naturally discovered! Automatically deals with new and unknown campaign obfuscation techniques LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 28/31

Ongoing Work comparing the views provided from different spampots differences according to region/country type of network (academic, commercial, broadband, etc) factorial design experiment to determine effects of spampots parameters investigating the connection between bots and open proxies / open relays LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 29/31

Looking for Partners Interested in... Hosting a sensor requirements: 1 public IP address, low-end server (or VM), 1Mb/s, no filtering All partners will have access to all data if they want Receiving data spams, URLs, IPs abusing the sensors, etc Helping to improve the technology Analysis, capture, collection, correlation with other data sources, etc LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 30/31

References Brazilian Internet Steering Comittee CGI.br http://www.cgi.br/ Computer Emergency Response Team Brazil CERT.br http://www.cert.br/ Previous presentations about the project http://www.cert.br/presentations/ SpamPots Project white paper (in Portuguese) http://www.cert.br/docs/whitepapers/spampots/ LACNIC XIII, 5 th LACSEC, Curaçao May 19, 2010 p. 31/31

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information