More servicesWindows Live
HomeHotmailSpacesOneCare
 
MSN
Sign in
 
 
Spaces home  Anatomy of SpamProfileFriendsBlogMore Tools Explore the Spaces community

Anatomy of Spam

An ongoing project to better understand the architecture of spam

Anti-spam links

Blog
July 11

Botnet: Defense - Part 5 of 5

Admittedly, stopping botnets is not easy. Their decentralized nature, and their use of unsuspecting people, who are not criminals that you want as customers, makes it difficult to attack the front line. Instead, defending requires some unearthing to find the source of the problem. That digging becomes admittedly harder and harder as botnets become smarter and wilier.

  • Comcast blocked port 25 (the port to send out mail) for high-volume customers in an effort to cut down its network being a spam hub. And while the company claims it resulted in a 35% decrease in spam through its networks, that was two years ago, and today Comcast has had a difficult time keeping up with botnets' rerouting behavior (e.g. using open relays or tunneling through other compromised systems outside of the network).
  • The port blocking technique shifts the problem in another direction, towards customer support. While the majority of an ISP's customers are not spammers, a port blocking technique ends up creating a lot of false positives, blocking sent email that shouldn't be blocked. That requires customers to be handled one at a time to deal with their exceptions. Blocking is a desperate and dangerous move (in terms of company image and brand) to make. Although Matt Sergeant of MessageLabs disagrees. He says the overwhelming majority of home users are not sending SMTP mail through their own computer but rather using the SMTP server of their ISP. So the number of exceptions is actually quite low. From his experience the number of people asking to be lifted from the port block is low.
  • Volunteers that work with ISPs and law enforcement to pinpoint the bot herders command-and-control infrastructure. Previous lack of support is now being met with support from the FBI.
  • Service providers calling customers and to help them disinfect their systems is not economically feasible.
  • Operation Bot Roast - The FBI's program to go after botnet creators, because the problem has become an issue of national security. FBI contacted more than one million PC owners that they suspect are zombie computers. Since instituting the program just last month, the FBI has nabbed three U.S.-based bot herders. As of July 15th, 2007, the FBI has 70 active investigations of high profile spammers using botnets.
  • Microsoft labs reverse engineered the process and put themselves in the path of the botnet creators. They let machines become infected thereby becoming zombie drones. Once a drone, Microsoft researchers looked backwards as to who was issuing the commands and there were able to see the IP addresses of the computers sending the spamming requests to their infected machines. Through 2006, Microsoft initiated 129 lawsuits on spammers in Europe, the Middle East, and North America.
This is the fifth part of a five part post about botnets. The other four parts are:I encourage comments, corrections, or additions to any information in any of the five parts.
12:44 PM | Add a comment | Read comments (1) | Send a message | Permalink | View trackbacks (0)
July 10

Botnet: Theories - Part 4 of 5

This fourth part of the Botnet series reviews some of the random theories people have about the success of botnets and the inability to stop their proliferation. Again, these are all just theories and are not necessarily all true.

  • General public doesn't know about botnets - Outside of the security business, people don't know what botnets are and how to protect yourself from being a host. Botnet creators count on that ignorance to create their networks of zombie computers.
  • People want botnets - This is quite an "out there" theory, but it has some merit. If a computer owner is selfish (doesn't engage in the free sharing behavior that's so inherent across the Internet), they might want a botnet on their computer to fight the other botnets (a traditional behavior of botnets is to thwart off other botnets) from coming on to their system and being a target of botnet attacks.
  • The less harm botnets do to their host computer, the more they will proliferate - The only time people fix their computer is when it's acting slow, or behaving strange. Otherwise, they don't fix it. As long as botnets don't create any perceivable behavioral change in a computer's operation users will see no need to fix their computer.
  • Internet fraud is a cost of doing business - Like in any business that has to calculate theft as a part of business, people in the ad industry have accepted Internet fraud like click fraud (a behavior that can be conducted by a botnet) as a cost of doing business. Instead of solving the problem, they just calculate the shortage into total costs and therefore prices, like pay per click (PPC), increase as a result.
  • Service providers are the source of the most abuse - Since spam is coming through ISPs mail servers they are seen as the gateway and should have stricter controls. What those will necessarily be are anyone's guess. Read the fifth part of the botnet series for more insight.

This is the fourth part of a five part post about botnets. The other four parts are:I encourage comments, corrections, or additions to any information in any of the five parts.
12:34 PM | Add a comment | Send a message | Permalink | View trackbacks (0)

Botnet: Behavior - Part 3 of 5

Part three of the Botnet series reviews the behavioral attributes of bots. Here's a summary.

  • No harm to your computer - The reason people don't seem to be so upset about bot behavior is because there's no recognizable change in their computing activity. Unlike malicious viruses and spyware that can slow down or corrupt your system, a well designed bot stays hidden, treats its host computer well, and only attacks other machines.
  • Bot on bot violence - Bots fight over territory trying to be the one and only controllable host on your computer. For that reason, some bots behave like anti-virus programs scanning and deleting competing infections to defend their turf.
  • Hijacked computers become DNS (Domain Name System) servers - They provide domain resolution services to bypass IP tracking or blacklists. No need to change the DNS record or hosting, just change IP addresses and do your own resolution to point to your own servers. Works great for spam-based phishing scams.
  • Peer-to-peer distribution - Control commands are sent out to multiple nodes on the botnet. They handle the dirty work in a decentralized fashion, making it difficult to find the master node and shut the botnet down.
  • Digitally signed commands - Encoded commands make it difficult to uncover.
  • Harvesting email addresses - Starts collecting email addresses from an infected computer's hard drive, from the Internet, newsgroups, social networks, and chat room conversations. This behavior is known as a spambot and the generated mailing list waits for instructions to issue the next spam attack.
  • Harvesting more than just email addresses - Abundant public information, like names, addresses, zip codes are collected to create genuine looking phishing emails.
  • Installs generic SOCKS proxy - To communicate outside your firewall, the SOCKS proxy is set up, creating an open gateway for an infected machine to start sending spam.
  • Controlled through an IRC (Internet Relay Chat) server - The "bot herder" or one who controls the network of bots operates through an IRC server or a channel on a public IRC network. That's the traditional method. According to Matt Sergeant of MessageLabs, they're now finding new paths using P2P protocols like eDonkey. Others are using straight SSL connections.
  • Bot herders and spammers are usually two different entities - Often they're not the same and the spammer purchases access to the botnet from the operator/bot herder. Wouldn't be surprised if they've already started to vertically integrate.

This is the third part of a five part post about botnets. The other four parts are:I encourage comments, corrections, or additions to any information in any of the five parts.
11:57 AM | Add a comment | Send a message | Permalink | View trackbacks (0)
July 09

Botnet: Compromised computers - Part 2 of 5

So depending on which report you read (you'll see me saying this a lot) there's been either a dramatic or hyper-dramatic rise (don't ask me to explain the difference) in spam which can all be attributed to spammers taking advantage of botnets. Read part 1 for an explanation of botnets.

In the world of reporting spam you have to look at many sources because there can be a multiple fold difference in one company's experience versus another. Here's a summary of some of the statistics of compromised computers being used as bot armies for the transmission of spam, distributed denial of service attacks, and more.
  • "In any 24-hour period we'll see a million different IP addresses being used in coordinated attacks, and 50,000 operating at any given instant." (Source: Postini told InfoWorld in Nov. 2006)
  • "Estimates vary, but a reasonable guess is that between one and five percent of the computers on the net are infected with bots." (Source: Ed Foster, Oct. 2006)
  • For the first six months of 2006, an average of 57,000 active bots were observed being used every day. Those bots came from a pool of 4.7 million compromised computers. (Source: Symantec study reported by eWEEK, Oct. 2006)
  • There are 6 to 8 million compromised computers or zombie hosts that are responsible for 85% of the Internet's spam. They have the power to send 160 million messages in just a few hours. A single botnet army could contain as many as 200,000 infected computers. Prime target are poorly secured home computers with dedicated fast Internet connections. (Source: 2006 Spam Trends Report: Year of the Zombies from Commtouch, December 2006)
  • FBI's "Operation Bot Roast" has identified 1 million compromised computers (U.S. based). Are a growing threat to US national security, the national information infrastructure, and the economy. (Source: FBI, June 2007)
  • Microsoft labs set up a drone computer to quickly become a zombie so as to track these botnet army requests. "In less than three weeks, the Microsoft lab's zombie computer received more than five million requests to send 18 million spam e-mails. These requests contained advertisements for more than 13,000 unique domains." (Source: Consumeraffairs.com, Jan. 2007)
Botnets are possible due to the Internet's underlying lack of accountability and the fact that most people don't know their computers are part of a botnet army.

This is the second part of a five part post about botnets. The other four parts are:I encourage comments, corrections, or additions to any information in any of the five parts.
3:39 PM | Add a comment | Send a message | Permalink | View trackbacks (0)

Botnet: What is it? - Part 1 of 5

In its truest sense, it's a collection of PCs, connected to the Internet that have been implanted with a program that can carry out specific actions from a remote controller. In that sense, there's nothing inherently wrong with a botnet. It can be thought of as distributed computing. Sort of like what the SETI@home project is where people voluntarily download an application to their computer. When your computer is not being used, it participates in a large distributed processing application to look for extraterrestrial intelligence.

Well, that was the "feel good" explanation of botnets. That people were knowingly and voluntarily letting their computers take part in a greater good. Unfortunately, nobody sees botnets in that light anymore. Botnets are now used in conjunction with terms like hijacked computers, viruses, worms, distributed denial of service attacks, and spam. These software programs are unknowingly arriving on people's computers through email viruses, spyware, or phishing attacks. They are hidden, often create no harm on the host computer, and wait in a dormant state until called upon for instructions by a remote controller.

In mass, the collected infected computers can be viewed as botnet armies. A single general can request mass and coordinated actions like fraudulent ad clicks, distributed denial of service attacks, stuffing online polling ballots, and even logging keystrokes to phish for sensitive personal information (e.g. passwords, credit cards, bank account records). Botnets have been recently received higher recognition as an avenue to distribute spam in an efficient manner that gets around traditional means of defense, blacklists. Spammers don't usually create botnets, they rent access to them so that they can blast out their spam. They are hard to stop and are one of the top sources for the dramatic increase in spam.


This is the first part of a five part post about botnets. I was going to write this all in one post, but since there's so much information, I decided to divide it up into five posts. The other four parts are:
I encourage comments, corrections, or additions to any information in any of the five parts.
2:44 PM | Add a comment | Read comments (1) | Send a message | Permalink | View trackbacks (0)
View more entries
 

Profile

David Spark

View spaceSend a message
Occupation:
Journalist, Analyst
Location:
San Francisco, CA
Interests:
technology computers mobile advertising mail messaging media new media blogging VoIP wireless
Hello, my name is David Spark. I'm a journalist and analyst that's working on a project to try to better understand the architecture of spam. I'm investigating spam at all levels, from the elements of the actual message, the tactics to distribute, and to the financial/criminal incentives to be a spammer.

This blog is my open research forum where I'll post all my findings through existing research, interviews with people in the trenches analyzing and stopping spam, and some spammers/reformed spammers themselves.

The Anatomy of Spam project is sponsored by Microsoft. I give them my thanks and appreciation for their funding.
View profile details