Upload
gianluca-stringhini
View
341
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
UC Santa Barbara*RWTH Aachen
The Harvester, the Botmaster, and the Spammer:
On the Relations Between the Different Actors in the Spam Landscape
Gianluca Stringhini, Oliver Hohlfeld*, Christopher Kruegel, and Giovanni Vigna
University of California, Santa Barbara
*RWTH Aachen
The Harvester, the Botmaster, and the Spammer 2
Spammer
Setting Up a Spam Operation
Harvester
Botmaster
What are the relations between the different actors in a spam operation?
The Harvester, the Botmaster, and the Spammer 4
Fingerprinting the Actors
HarvestersDisseminate email addresses on the web
SpammersFingerprint spam campaigns
BotnetsEach botnet implements SMTP differently [USENIX2012]
The Harvester, the Botmaster, and the Spammer 5
Fingerprinting the Entire Operation
The Harvester, the Botmaster, and the Spammer 6
Fingerprinting Email Harvesters
Server-side dynamic script to generate unique addressesWebsites of various type [IMC2012]
Various ways of embedding email addressesPlaintext, mailto links, obfuscated JavaScript
We recorded IP address and user agent of visitors
The Harvester, the Botmaster, and the Spammer 7
Fingerprinting BotnetsSMTP Dialects [USENIX2012]We can uniquely identify an email-sending program by looking at the sequence of SMTP messages
HELO domain
RSET
MAIL FROM:<email-addr>
RCPT TO:<email-addr>
DATA
250 server
250 OK
250 OK
250 OK
Learning dialects spoken by botnetsMalware samples submitted to Anubis• 18,849 malware samples sent an email• 72 unique dialects• Virustotal labels to name samples
Learning dialects spoken by legitimate clientsVirtual machines running 5 popular MTAs
The Harvester, the Botmaster, and the Spammer 8
Fingerprinting Spammers
We assume that a single spammer is responsible for each spam campaign
We cluster emails into campaigns by:• Subject line• URL domain•Mailer• Sender email address
Analysis of the Collected Data
The Harvester, the Botmaster, and the Spammer 10
Analysis of the Harvesters
9 different harvesters613 email addresses were harvestedA single harvester harvested 415 addresses
Distributed harvester composed of 56 IP addresses
Turnaround time between 5 days and almost two years
The Harvester, the Botmaster, and the Spammer 11
Analysis of the SMTP Dialects2,024 emails received sent by 7 different dialects
3 large botnets (Cutwail, Lethic, Kelihos)
2 MTAs (Postfix and Sendmail)
The Harvester, the Botmaster, and the Spammer 12
Country Distribution - Lethic
The Harvester, the Botmaster, and the Spammer 13
Country Distribution - Cutwail
The Harvester, the Botmaster, and the Spammer 14
Country Distribution - MTAs
The Harvester, the Botmaster, and the Spammer 15
Analysis of the Spam CampaignsCampaign Number of Emails Topic
1 64 Counterfeit goods
2 180 Online dating
3 8 Financial scam
4 533 SEO
5 7 Email marketing
6 6 Phishing scam
7 30 Phishing scam
8 5 Phishing scam
The Harvester, the Botmaster, and the Spammer 16
Tracking Spammers Over Time
Each campaign is carried out by a different spammer
Spammers could run two campaigns simultaneouslyWe identify spammers by botnet + email list
The Harvester, the Botmaster, and the Spammer 17
Studying the Relationships Between the Actors
Each botnet was rented by a single spammerMultiple spammers used the same type of MTA
4 email lists were used by multiple spammers → purchasedSpammers keep using the same email list
Spammers using MTAs are more likely to harvest their email addresses
The Harvester, the Botmaster, and the Spammer 18
Conclusions & Lessons LearnedWe presented the first end-to-end analysis of the spam delivery ecosystem
Our results show that spammers use the same botnet and the same email list for a long timeThis can be leveraged for spam mitigation
Our methodology could be used by other researchers to perform larger-scale studies