Behind the SPAM: A look at BotNets, Malware, and the Spamers who run them.

 

Speaker:     Terry Zink, Program Manager, Microsoft

Goals:

1. Understand the current threat landscape
2. Understand what Microsoft is doing in this space
3. Understand how Microsoft combats these threats

Variety

1. (Terry performed a card trick at this time)
2. Trick cards?
3. Sleight of hand?
4. Secret partner?
5. Something else?

Spammers?

1. Russian Business Network (RBN)
1. worst of the worst.
2. Responsible for the Storm botnet
3. ISP – phishing, spam, malware
4. Bullet-proof hosting “ISP allows you to do anything”
5. Based in St. Petersburg, Russia
6. Offers Web Hosting
1. Now allegedly involved in Black SEO, DOS attacks and rogue Antivirus
2. The Partnerka
1. Use a lot of Web 2.0
2. Affiliate marketing – will drive traffic to your site
3. Black SEO, spam, malware
1. Spam is less lucrative but still done by more elite spammers
2. Upload spammy content to throwaway sites like facebook, twitter
3. Glavmed

How much money do they actually make?

1. Meds4U - $16,000/month
2. CoolCodecs
1. $6500/month
3. MegaSales.ru
1. $25/sale
2. $4916/11 days
4. I am a spammer (reddit.com)
1. $1000/day

Forefront Online – Total inbound mail 400-600 billion per quarter.

                        

Spam Trends – Gambling and 419 are up

Phishing – sites are looking very legitimate

Avalanche – group responsible for 2/3’s of all phishing sites.

Phishing needs 3 things:  1.) Phish email sent.  2.) Bypass phishing filters. 3.) user clicking on link.

Sender Policy Framework (SPF) – Add authorized sender IP’s to the DNS text record.

Botnet distribution (July 2009)

1. Rustock – 39.7%
1. Older botnet (c.2005)
2. #1 Spammer
3. No discernable pattern in headers
4. “Sleepy” behavior – slow drizzle
5. Sophisticated polymorphic rootkit botnet
1. Implemented as a driver – runs at lowest level
2. Infects system drivers, features anti-rootkit protection
3. Some become adjusted to hardware, wont run on other systems
4. More prevalent on older versions of windows
5. US, Korea, Japan, UK, Romania
6. TLS – their preference.  decryption slows down mailgates
7. Forefront online issued a fix to stop accepting TLS from botnet IP’s
2. Bagle-cb – 28.6%
1. Been around since 2004
2. Spread by email or p2p
3. Cutwail – 10.4%
4. Lethic – 8.6%
5. Grum – 6.7%
6. Donbot – …
7. Waledac
1. Newbie – 2008. 
2. Main purpose is to spam
3. Propagates by spamming links to itself
4. Binary is packed with several packers (obfuscated)
5. Makes use of multiple fast-flux nodes
6. Uses encryption between nodes – hard to track
7. Characters in spam:
1. Recognizable HELO string
8. US, Brazil, South Korea, Spain, France

Operation b49

1. Microsoft took down the Waledac Botnet
2. Microsoft got a court order to shut domains down “home of botnet”
1. Pushdo/Cutwail
1. Pushdo malware, cutwail is spamming software
2. Cutwail – key encryption: “reva gurd iuh an it ak-lehsoP” (means screw you, my friend AV’r.)
3. Multi-threaded
4. Recognizable HELO string
5. US, Russia, Japan, Brazil, …

Fast Flux & Double Fast Flux

1. Very clever spam technique
2. check out http://www.rxcoenbitee.cn
1. I looked up the following for a better description: http://en.wikipedia.org/wiki/Fast_flux 
3. Changes DNS A records every 10 minutes – constantly redirecting victims 
4. Double Fast Flux – uses DNS referrals to change the authoritative name server.
5. Makes it very difficult for anti-spam to keep up with this.
6. How do you stop double-fast-flux?
1. You make really big lists.
2. have listener programs throughout the world collecting real-time updates resolutions and sending them to the main list.
7. Regex
1. FOBE uses Regex’s to predict where spam is going to come from …hmm.
2. Trafficconverter.biz
1. -> conficker worm
2. Started using MD6 in January
3. Switched

Summary

1. Spam up
2. Phishing up
3. Malware up
4. Botnets up
5. Piracy down
6. Detection green up