Bots Used to Facilitate Spam by lgm41816


									Bots Used to Facilitate

     Matt Ziemniak

•   Discuss Snort lab improvements
•   Spam as a vehicle behind cyber threats
•   Bots and botnets
•   What can be done
               Lab Improvements

• Build more complex rules
• Provide more interaction with snort.conf file and
• Explain how snort works in real-world setting
• Make both labs snort-related
         Cyber-related Crimes

• Phishing

• Spyware

• Nigerian scams

• Child pornography
        Why Spam is an Issue

• Loss of employee
• Money spent on
• Dissemination of
  viruses, spyware,
  and phishing
   Spam- Distribution in the Past

• Open relay mail servers

• Open HTTP proxies

• Worms/mass mailers
       Spam- A Better Method

• Find a way to automate the spamming process
  while remaining anonymous
                  What is a Bot

• Short for robot. A computer program that
  performs a function such as forwarding e-mail,
  responding to newsgroup messages, or
  searching for information.

        Common uses for a Bot

• Web crawlers/search agents

• Interacting with online games

• Monitoring IRC channels

      Only limited by imagination
                Malicious Bots

•   Keylogging
•   Denial-of-Service Attacks
•   Identity Theft (hosting spoofed websites)
•   Spread malware

            GENERATE SPAM!
               Types of Bots

• Internet Relay Chat (IRC)

• Hyper-Text Transfer Protocol (HTTP)

• P2P (Peer-to-Peer file sharing)
                What is IRC

• An online system that allows real-time
• Consists of an IRC server and an IRC client;
  the connection between the two is called a
• Members join chat rooms to discuss various
  topics (may be password protected)
• Can be used for file sharing
                 IRC Bots

• Program that interacts with an IRC server in
  an automated fashion
• Typically used to monitor a channel when an
  individual is away from the computer
• Can be modified by anyone with programming
  skills (C++, PERL, DELPHI )
• IRC has its own scripting language
       From Bots to Botnets
• An individual gains control of many bots that
  reside on different users’ computers
• Controlled by a “bot master” who uses a
• The bots connect to the IRC server and wait
  for commands from the bot master

                 Bot Master

Bot               Bot              Bot
                 HTTP Bots

• Commonly used to generate spam
• User typically visits website and downloads a
  trojan or other piece of malware
• Connection is made to a web server operated
  by a bot master
• More software is downloaded onto user’s
           HTTP Botnet Infection

 Exploit           Trojan

                              Bot Client
           Methods to spam

• Use compromised computer as spam proxy

• Use compromised computer as mail relay

• Obtain email addresses from compromised
  computer (harvesting)
        Difficult to Trace Origin

• HTTP redirects
• Path to actual site leads to IP’s across
  different countries (bouncing)
• Compromised proxies don’t log connections
• Tank farms act like middlemen by pushing the
  spam through proxies
                    Growing Concern

• "At the end of last year we knew of about
  2,000 botnets. Towards the end of this year,
  we're looking at about 300,000,".

Source: Jesse Villa, Frontbridge Technologies
        Importance of Research

• Gathering intelligence regarding botnet
• Use tools such as honeypots, intrusion
  detection systems, packet sniffers
• Perform trends analysis on data, source
  information, log files (firewall and IDS)
 How Industry can Help

      • Educate employees
  • Increase security measures
   • Develop security products
• Share information and resources

To top