Spampots Project Mapping the Abuse of Internet Infrastructure by Spammers

Similar documents
Spampots Project First Results of the International Phase and its Regional Utilization

honeytarg Chapter Activities

Use of Honeypots for Network Monitoring and Situational Awareness

CERT.br Incident Handling and Network Monitoring Activities

Monitoring the Abuse of Open Proxies for Sending Spam

SpamPots Project: Using Honeypots to Measure the Abuse of End-User Machines to Send Spam

Preventing your Network from Being Abused by Spammers

Information Security Awareness Videos

Development of an IPv6 Honeypot

Challenges and Best Practices in Fighting Financial Fraud in Brazil

Incident Handling in Brazil

A Multistakeholder Effort to Reduce Spam The Case of Brazil

The Global ecrime Outlook CERT.br National Report

DNS Amplification Attacks as a DDoS Tool and Mitigation Techniques

Cybersecurity and Incident Response Initiatives: Brazil and Americas

CERT.br: Mission and Services

Phishing and Banking Trojan Cases Affecting Brazil

Distributed Honeypots Project: How It s Being Useful for CERT.br

The Importance of a Multistakeholder Approach to Cybersecurity Effectiveness

Incident Handling and Internet Security in Brazil

Evolution of Financial Fraud in Brazil

Incident Response and Early Warning Initiatives in Brazil

LACNIC 25 CSIRTs Meeting Havana, Cuba May 4 th, 2016

A Campaign-based Characterization of Spamming Strategies

Fraud and Phishing Scam Response Arrangements in Brazil

Alexandr Golubev ( RENAM Association

Spamming Chains: A New Way of Understanding Spammer Behavior

4 Messaging Technology

When Reputation is Not Enough: Barracuda Spam & Virus Firewall Predictive Sender Profiling

About Botnet, and the influence that Botnet gives to broadband ISP

When Reputation is Not Enough: Barracuda Spam Firewall Predictive Sender Profiling. White Paper

The Brazilian Internet Steering Committee CGI.br Internet Governance Model in Brazil

Phishing Activity Trends

Intrusion Forecasting Framework for Early Warning System against Cyber Attack

SPAM: 101 Cause and Effect

Internet Governance and Regulation in ICLAC - A Review

Security Incidents And Trends In Croatia. Domagoj Klasić

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

Unknown threats in Sweden. Study publication August 27, 2014

CYBEROAM UTM s. Outbound Spam Protection Subscription for Service Providers. Securing You. Our Products.

When Reputation is Not Enough. Barracuda Security Gateway s Predictive Sender Profiling. White Paper

TOPICS TO BE COVERED: First Workshop for Computer Security Incident Management Experts

Phishing Activity Trends Report June, 2006

Intercept Anti-Spam Quick Start Guide

Discovering Campaign Based Spamming Strategies

How Do We Discourage Asia from Continuing to be a Source of Spam? 2.1 Introduction. 2.2 Spam Trends. 2. Messaging Technology

Proxy Blocking: Preventing Tunnels Around Your Web Filter. Information Paper August 2009

SonicWALL Security Quick Start Guide. Version 4.6

Using Security to Protect Against Phishing, Spam, and Targeted Attacks: Combining Features for Higher Education

Network and Incident monitoring

The anatomy of an online banking fraud

Phishing Activity Trends Report for the Month of December, 2007

Indian Computer Emergency Response Team (CERT-In) Annual Report (2010)

Phone Fax

Deploying Layered Security. What is Layered Security?

On and off premises technologies Which is best for you?

The Growing Problem of Outbound Spam

Cyber Security & Role of CERT-In. Dr. Gulshan Rai Director General, CERT-IN Govt. of India grai@mit.gov.in

Ram Dantu. VOIP: Are We Secured?

Configuration Information

Copyright 2011 Sophos Ltd. Copyright strictly reserved. These materials are not to be reproduced, either in whole or in part, without permissions.

Brief self-introduction

One Minute in Cyber Security

Emerging Trends in Fighting Spam

Innovations in Network Security

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Actionable information for security incident response

Scaling Big Data Mining Infrastructure: The Smart Protection Network Experience

Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia

How To Understand The Security Posture Of Home Internet Users In Australia

December 2010 Report #48

TECHNICAL REPORT. An Analysis of Domain Silver, Inc..pl Domains

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information.

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Web Analytics Understand your web visitors without web logs or page tags and keep all your data inside your firewall.

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

AVG AntiVirus. How does this benefit you?

Who will win the battle - Spammers or Service Providers?

D m i t r y S l i n k o v, C I S M SWISS C Y B E R S TO R M Black market of cybercrime in Russia

Towards Automated Botnet Detection and Mitigation

CALNET 3 Category 7 Network Based Management Security. Table of Contents

Quick Heal Exchange Protection 4.0

Transforming the Telecoms Business using Big Data and Analytics

Incident Response and Data Protection

Next Generation IPS and Reputation Services

DANCERT RFC2350 Description Date: Dissemination Level:

CITADEL TROJAN OUTGROWING ITS ZEUS ORIGINS

An Efficient Methodology for Detecting Spam Using Spot System

APPLICATION PROGRAMMING INTERFACE

CSC474: Network Security

Addressing the blind spots in your security strategy. BT, Venafi & Blue Coat

Communications and Information Technology Commission. Suggested SPAM Monitoring Framework for CITC

Our Mission. Provide traveling, remote and mobile laptop users with corporate-level security

How To Perform A Large Scale Attack On A Large Network

SR B17. The Threat Landscape Continues to Change: How are You Keeping Pace? Dean Turner

How To Perform A Large Scale Attack On A Large Computer System

F-Secure Messaging Security Gateway. Deployment Guide

May 2011 Report #53. The following trends are highlighted in the May 2011 report:

Kaspersky Security 8.0 for Microsoft Exchange Servers Administrator s Guide

Transcription:

Spampots Project Mapping the Abuse of Internet Infrastructure by Spammers Klaus Steding-Jessen jessen@cert.br Cristine Hoepers cristine@cert.br CERT.br Computer Emergency Response Team Brazil NIC.br Network Information Center Brazil CGI.br Brazilian Internet Steering Committee 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 1/32

About CERT.br Created in 1997 as the national focal point to handle computer security incident reports and activities related to networks connected to the Internet in Brazil. http://www.cert.br/mission.html 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 2/32

Our Parent Organization: CGI.br Among the diverse responsibilities of The Brazilian Internet Steering Committee CGI.br, the main attributions are: to propose policies and procedures related to the regulation of the Internet activities to recommend standards for technical and operational procedures to establish strategic directives related to the use and development of Internet in Brazil to promote studies and technical standards for the network and services security in the country to coordinate the allocation of Internet addresses (IPs) and the registration of domain names using <.br> to collect, organize and disseminate information on Internet services, including indicators and statistics 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 3/32

CGI.br/NIC.br Structure 01- Ministry of Science and Technology 02- Ministry of Communications 03- Presidential Cabinet 04- Ministry of Defense 05- Ministry of Development, Industry and Foreign Trade 06- Ministry of Planning, Budget and Management 07- National Telecommunications Agency 08- National Council of Scientific and Technological Development 09- National Forum of Estate Science and Technology Secretaries 10- Internet Expert 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 4/32 11- Internet Service Providers 12- Telecom Infrastructure Providers 13- Hardware and Software Industries 14- General Business Sector Users 15- Non-governamental Entity 16- Non-governamental Entity 17- Non-governamental Entity 18- Non-governamental Entity 19- Academia 20- Academia 21- Academia

Agenda SpamPots Project Objectives Architecture Overview New Developments Partners/Members Portal Mining Spam Campaigns Ongoing Work 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 5/32

SpamPots Project Objectives Better understand the abuse of the Internet infrastructure by spammers measure the problem from a different point of view: abuse of infrastructure X spams received at the destination Help develop the spam characterization research Measure the abuse of end-user machines to send spam Use the spam collected to improve antispam filters Develop better ways to identify phishing and malware identify botnets via the abuse of open proxies and relays 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 6/32

Architecture Overview Spammers, bots malware, etc Honeypots emulating open proxies and open relays Data Collection: Data Analysis: Collects all data periodically; Checks honeypots status. Data mining process; Generate analysis based on spam content. Storage Storage Members Portal: Statistics; Global distribution of spam campaings; Sample e mails, URLs, etc. Data Warehouse 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 7/32

Parterns Hosting Sensors Sensors hosted by: AT: CERT.at AU: AusCERT BR: CERT.br BR: CSIRT-USP CL: CLCERT NL: SURFcert TW: TWCERT/CC US: Univ. of Washington Tacoma UY: CSIRT Antel Coming soon: AE (aecert), AR (CSIRT Banelco and Univ. de La Plata), DE (Telekom-CERT), EC (Univ. de Loja), GR (FORTH, ICS), MY (MyCERT), PL (CERT Polska), UK (OX-CERT) and two others in US (Univ. of Alabama at Birmingham and IBM) And maybe one in ZA Thanks to SURFcert! 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 8/32

Improving cooperation in spam fighting Provide data to trusted parties Help the constituency to identify infected machines Identify malware and scams targeting their constituency Currently providing data about spams coming from networks assigned to JP - to JADAC / IIJ / JPCERT/CC / Min. of Communications had a workshop in Brazil with representatives from these organizations and local ISPs and network providers to discuss how to reduce spam and network abuse TW - to NCC-TW they are using the data to shutdown spammers infrastructures 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 9/32

New Developments Data capture and collection software rewritten: spamsinkd non-forking multi-threaded event based design using POE framework collect more details about each message store messages in mbox format IPv6 ready spamtestd faster response more control over responses to test messages better data storage design better disk usage facilitate data donation facilitate archival 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 10/32

Case Study IP from Nigeria abuse SOCKS Proxy in Brazil connects at an ISP in Germany to authenticate with a stolen credential to send a phishing to.uk victims with a link to a phony Egg bank site using a South Africa domain hosted at an IP address allocated to UK s largest web hosting company based in Gloucester 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 11/32

Case Study (cont.) From: "Egg Bank Plc"<onlinesecure@egg.com> Subject: Online Banking Secure Message Alert! Date: Mon, 19 Apr 2010 14:46:29 +0100 X-SMTP-Proto: ESMTPA X-Ehlo: user X-Mail-From: onlinesecure@egg.com X-Rcpt-To: <victim1>@yahoo.co.uk X-Rcpt-To: <victim2>@yahoo.com X-Rcpt-To: <victim3>@yahoo.co.uk X-Rcpt-To: <victim4>@hotmail.co.uk (...) X-Rcpt-To: <victimn>@aol.com 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 12/32

Case Study (cont.) X-Sensor-Dstport: 1080 X-Src-Proto: SOCKS 5 X-Src-IP: 41.155.50.138 X-Src-Hostname: dial-pool50.lg.starcomms.net X-Src-ASN: 33776 X-Src-OS: unknown X-Src-RIR: afrinic X-Src-CC: NG X-Src-Dnsbl: zen=pbl (Spamhaus) X-Dst-IP: 195.4.92.9 X-Dst-Hostname: virtual0.mx.freenet.de X-Dst-ASN: 5430 X-Dst-Dstport: 25 X-Dst-RIR: ripencc X-Dst-CC: DE 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 13/32

Case Study (cont.) <table width="561"> <tbody><tr><td><br><font face="arial" size="2"> You have 1 new Security Message Alert! <br><br> Log In into your account to review the new credit limit terms and conditions..<br> </font><p><font face="arial" size="2"><br><font face="arial"> </font></font><font face="arial"><a rel="nofollow" target="_blank" href="http://www.mosaic.org.za/images/index.html"> Click here to Log In</a></font></p> <font face="arial"> </font><font face="arial" size="2"> </font><p><font face="arial" size="2"><br><br> Egg bank Online Service<br> </font></p> <font face="arial" size="2"> </font><hr> <font face="arial" size="2"> <font color="999999" size="1"> Egg bank Security Department</font></font></td></tr></tbody></table> 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 14/32

Case Study (cont.) 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 15/32

Partners/Members Area 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 16/32

Partners/Members Home 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 17/32

Statistics last 15 minutes 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 18/32

Statistics last 15 minutes Country Codes 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 19/32

Statistics last 15 minutes ASes 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 20/32

Statistics last 15 minutes ports 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 21/32

Statistics last 15 minutes CIDRs 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 22/32

Statistics last 15 minutes IPs 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 23/32

Statistics MRTG 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 24/32

Statistics Country Codes Daily 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 25/32

Mining Spam Campaigns 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 26/32

Motivation Spampots collect a huge volume of spams (7+ million spams/day) How to make sense of all this data? Data Mining! Cluster spam messages into Spam Campaigns to isolate the traffic associated to each spammer Correlate spam campaign attributes to unveil different spamming strategies Data Mining research conducted by the e-speed Lab, DCC/UFMG 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 27/32

The Pattern Tree Approach Features are extracted from spam messages (subject, URLs, layout etc) We organize them hierarquically inserting more frequent features on the top levels of the tree Campaigns delimited by sequence of invariants 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 28/32

Pajek Pajek Data reduction The Pattern Tree grouped 350M spam messages into 60K spam campaigns; Obfuscation patterns are naturally discovered! Automatically deals with new and unknown campaign obfuscation techniques 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 29/32

Ongoing Work comparing the views provided from different spampots differences according to region/country type of network (academic, commercial, broadband, etc) factorial design experiment to determine effects of spampots parameters investigating the connection between bots and open proxies / open relays 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 30/32

Looking for Partners Interested in... Hosting a sensor requirements: 1 public IP address, low-end server (or VM), 1Mb/s, no filtering All partners will have access to all data if they want Receiving data spams, URLs, IPs abusing the sensors, etc Helping to improve the technology Analysis, capture, collection, correlation with other data sources, etc 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 31/32

References Brazilian Internet Steering Comittee CGI.br http://www.cgi.br/ Computer Emergency Response Team Brazil CERT.br http://www.cert.br/ Previous presentations about the project http://www.cert.br/presentations/ SpamPots Project white paper (in Portuguese) http://www.cert.br/docs/whitepapers/spampots/ 2010 Annual Meeting of CSIRTs with National Responsibility, Miami, US June, 2010 p. 32/32

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information