Understanding large-scale spamming botnets from Internet edge sites

Tatsuya Mori, Holly Esquivel, Aditya Akella, Akihiro Shimoda, Shigeki Goto

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    5 Citations (Scopus)

    Abstract

    This paper aims to understand empirically the impact of a largescale spamming botnet, and the effectiveness of targeting its core infrastructure-C&C servers-from the viewpoint of several Internet edge sites. We also attempt to study the characteristics of the spamming botnet in the long-term to see how quickly bot masters react and what type of action they take. Our primary target in this paper is one of the world's previously worst known spamming botnets, Srizbi, whose C&C servers were shutdown by its upstream ISPs on November 11, 2008. We conduct an extensive measurement study spanning a large volume of e-mail delivery logs and packet traces collected at five vantage points. The measurement period spans three years and includes of the rise and fall of the botnet. We leverage passive TCP fingerprinting on the collected packet traces to identify bot-infected hosts and spam messages sent from them. We first extract variants of the known TCP signatures that are associated with the spamming botnet by correlating the data sets in the time and space domains. Next, by using the signatures, we quantify the volume of spam sent from the botnet and the effectiveness of the C&C server shutdown from an Internet edge siteperspective. We attempt to study the characteristics of the spamming botnet in both the time and space domains. We reveal several findings that are useful in understanding the spread of spamming botnets; specifically, we note the steady growth of the botnet's size and the rapid version transition after the shutdown of C&C servers. We also estimate the entire size of Srizbi botnet. We then study how the botnet membership is distributed around the globe and how its size changed over time.

    Original languageEnglish
    Title of host publication7th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS 2010
    PublisherConference on Email and Anti-Spam, CEAS
    Publication statusPublished - 2010
    Event7th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS 2010 - Redmond, WA
    Duration: 2010 Jul 132010 Jul 14

    Other

    Other7th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS 2010
    CityRedmond, WA
    Period10/7/1310/7/14

    Fingerprint

    Spamming
    Internet
    Servers
    Botnet

    ASJC Scopus subject areas

    • Software

    Cite this

    Mori, T., Esquivel, H., Akella, A., Shimoda, A., & Goto, S. (2010). Understanding large-scale spamming botnets from Internet edge sites. In 7th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS 2010 Conference on Email and Anti-Spam, CEAS.

    Understanding large-scale spamming botnets from Internet edge sites. / Mori, Tatsuya; Esquivel, Holly; Akella, Aditya; Shimoda, Akihiro; Goto, Shigeki.

    7th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS 2010. Conference on Email and Anti-Spam, CEAS, 2010.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Mori, T, Esquivel, H, Akella, A, Shimoda, A & Goto, S 2010, Understanding large-scale spamming botnets from Internet edge sites. in 7th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS 2010. Conference on Email and Anti-Spam, CEAS, 7th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS 2010, Redmond, WA, 10/7/13.
    Mori T, Esquivel H, Akella A, Shimoda A, Goto S. Understanding large-scale spamming botnets from Internet edge sites. In 7th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS 2010. Conference on Email and Anti-Spam, CEAS. 2010
    Mori, Tatsuya ; Esquivel, Holly ; Akella, Aditya ; Shimoda, Akihiro ; Goto, Shigeki. / Understanding large-scale spamming botnets from Internet edge sites. 7th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS 2010. Conference on Email and Anti-Spam, CEAS, 2010.
    @inproceedings{cf8c6fe29ff54a61bd8938f6ee853848,
    title = "Understanding large-scale spamming botnets from Internet edge sites",
    abstract = "This paper aims to understand empirically the impact of a largescale spamming botnet, and the effectiveness of targeting its core infrastructure-C&C servers-from the viewpoint of several Internet edge sites. We also attempt to study the characteristics of the spamming botnet in the long-term to see how quickly bot masters react and what type of action they take. Our primary target in this paper is one of the world's previously worst known spamming botnets, Srizbi, whose C&C servers were shutdown by its upstream ISPs on November 11, 2008. We conduct an extensive measurement study spanning a large volume of e-mail delivery logs and packet traces collected at five vantage points. The measurement period spans three years and includes of the rise and fall of the botnet. We leverage passive TCP fingerprinting on the collected packet traces to identify bot-infected hosts and spam messages sent from them. We first extract variants of the known TCP signatures that are associated with the spamming botnet by correlating the data sets in the time and space domains. Next, by using the signatures, we quantify the volume of spam sent from the botnet and the effectiveness of the C&C server shutdown from an Internet edge siteperspective. We attempt to study the characteristics of the spamming botnet in both the time and space domains. We reveal several findings that are useful in understanding the spread of spamming botnets; specifically, we note the steady growth of the botnet's size and the rapid version transition after the shutdown of C&C servers. We also estimate the entire size of Srizbi botnet. We then study how the botnet membership is distributed around the globe and how its size changed over time.",
    author = "Tatsuya Mori and Holly Esquivel and Aditya Akella and Akihiro Shimoda and Shigeki Goto",
    year = "2010",
    language = "English",
    booktitle = "7th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS 2010",
    publisher = "Conference on Email and Anti-Spam, CEAS",

    }

    TY - GEN

    T1 - Understanding large-scale spamming botnets from Internet edge sites

    AU - Mori, Tatsuya

    AU - Esquivel, Holly

    AU - Akella, Aditya

    AU - Shimoda, Akihiro

    AU - Goto, Shigeki

    PY - 2010

    Y1 - 2010

    N2 - This paper aims to understand empirically the impact of a largescale spamming botnet, and the effectiveness of targeting its core infrastructure-C&C servers-from the viewpoint of several Internet edge sites. We also attempt to study the characteristics of the spamming botnet in the long-term to see how quickly bot masters react and what type of action they take. Our primary target in this paper is one of the world's previously worst known spamming botnets, Srizbi, whose C&C servers were shutdown by its upstream ISPs on November 11, 2008. We conduct an extensive measurement study spanning a large volume of e-mail delivery logs and packet traces collected at five vantage points. The measurement period spans three years and includes of the rise and fall of the botnet. We leverage passive TCP fingerprinting on the collected packet traces to identify bot-infected hosts and spam messages sent from them. We first extract variants of the known TCP signatures that are associated with the spamming botnet by correlating the data sets in the time and space domains. Next, by using the signatures, we quantify the volume of spam sent from the botnet and the effectiveness of the C&C server shutdown from an Internet edge siteperspective. We attempt to study the characteristics of the spamming botnet in both the time and space domains. We reveal several findings that are useful in understanding the spread of spamming botnets; specifically, we note the steady growth of the botnet's size and the rapid version transition after the shutdown of C&C servers. We also estimate the entire size of Srizbi botnet. We then study how the botnet membership is distributed around the globe and how its size changed over time.

    AB - This paper aims to understand empirically the impact of a largescale spamming botnet, and the effectiveness of targeting its core infrastructure-C&C servers-from the viewpoint of several Internet edge sites. We also attempt to study the characteristics of the spamming botnet in the long-term to see how quickly bot masters react and what type of action they take. Our primary target in this paper is one of the world's previously worst known spamming botnets, Srizbi, whose C&C servers were shutdown by its upstream ISPs on November 11, 2008. We conduct an extensive measurement study spanning a large volume of e-mail delivery logs and packet traces collected at five vantage points. The measurement period spans three years and includes of the rise and fall of the botnet. We leverage passive TCP fingerprinting on the collected packet traces to identify bot-infected hosts and spam messages sent from them. We first extract variants of the known TCP signatures that are associated with the spamming botnet by correlating the data sets in the time and space domains. Next, by using the signatures, we quantify the volume of spam sent from the botnet and the effectiveness of the C&C server shutdown from an Internet edge siteperspective. We attempt to study the characteristics of the spamming botnet in both the time and space domains. We reveal several findings that are useful in understanding the spread of spamming botnets; specifically, we note the steady growth of the botnet's size and the rapid version transition after the shutdown of C&C servers. We also estimate the entire size of Srizbi botnet. We then study how the botnet membership is distributed around the globe and how its size changed over time.

    UR - http://www.scopus.com/inward/record.url?scp=84904815650&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=84904815650&partnerID=8YFLogxK

    M3 - Conference contribution

    AN - SCOPUS:84904815650

    BT - 7th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS 2010

    PB - Conference on Email and Anti-Spam, CEAS

    ER -