Unusual E-mail Activity

I've been noticing unusual e-mail activities at my nyu account. 3-4 tomes in the past month I've got 'MAILER-DAEMON' failure notice e-mail when I've not send mails at those addresses.

An example is :

Subject

failure notice

Hi. This is the qmail-send program at mail.yifansoft.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

:
Sorry, no mailbox here by that name. vpopmail (#5.1.1)



So, have other people also been getting such emails too ?
And what could these signify ?

Can DNS Blacklists keep up with Bots

This is a short paper by Anirudh Ramachandran, David Dagon and Nick Feamster of the College of Computing at the Georgia Institute of Technology. This paper tries to conduct an evaluation of the effectiveness and responsiveness of DNS blacklists, in blocking spam.

According to the authors, DNSBL was an effective method when spammers were less agile. However, these days with the use of automated botnets for sending spam, spam is being sent from a much larger number of IP addresses and each host is relatively transient in nature. This transience requires that the blacklists be highly responsive in nature.

The paper goes on to explain an experiment and then provides a report on the preliminary tests. They conclude that, over 60% of the lookups were looked up by just one domain and around 10% of bots generate lookups from a large number of distince domains and only 5% out of them are blacklisted.

A Short Visit to the Bot Zoo

A short paper by Elias Levy and Ivan Arce.

This paper starts by explaining the origin and evolution of bots into their current state. It further goes on to explain the bot characteristics and explains how bots work essentially by means of a remote control mechanism.

It further goes on to explain botnet topologies, such as centralized, P2P and random. It mentions that the typical functions that happen over remote control networks are either DoS attacks or updates. The remote control facility and the commands that can be executed from it differentiate a bot from a worm, a program that propagates itself by attacking other systems and copying itself to them.

It further goes on to explain the various types of bots along with short descriptions of each.

A Multifaceted Approach to Understanding the Botnet Phenomenon

This paper is written by Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose and Andreas Terzis from the Computer Science Department of Johns Hopkins University. The authors attempt to clear the fog surrounding botnets by constructing a multifaceted and distributed measurement infrastructure. Throughout a period of more than three months , they used the infrastructure to track 192 unique IRC botnets of size ranging from a few hundred to several thousand infected end-hosts.

The paper makes the two key contributions, namely:

1. the development of an infrastructure to capture and concurrently track multiple botnets, and

2. a comprehensive analysis of measurements reflecting several important structural and behavioral aspects of botnets.

The second section of the paper provides background information on botnets and highlights the challenges associated with botnet detection and tracking.

TheThe approach the authors have developed to infiltrate large numbers of botnets has been described in seciton 3, and an approach for extracting binaries collected using our distributed infrastructure.

Section 4 provides with an analysis of the collected data.

To conclude, the following results are provided by the paper:

1. Traffic traces captured at the local darknet over a period of more than three months.

2. IRC logs gathered over the span of three months - covering data from more than 100 botnet channels either visited by the IRC tracker or observed on the honeypot

3. results of DNS cache hits from tracking 65 IRC servers for more than 45 days.

The Zombie Roundup: Understanding, Detecting and Disrupting Botnets

In this paper the authors outline the origins and structure of bots and botnets and use data from the operator community, the Internet Motion Sensor project, and a honeypot experiment to illustrate the botnet problem today. They then study the effectiveness of detecting botnets by directly monitoring IRC communication or other command and control activity and explain that a more comprehensive approach is required. They conclude by describing a system to detect botnets that utilize advanced command and control systems by correlating secondary detection data from multiple sources.

The paper starts by trying to quantify the problem of botnets, simply by giving an account of the numbers involved. According to the statistics provided, the number of new bots observed each day rose from less than 2,000 to more than 30,000 over the first six months of 2004. The total number of bot infected systems has been measured to be between 800,000 to 900,000 and CERT has described botnets with more than 100,000 members.

In this paper the authors have tried to emphasize on the quickly evolving nature and gravity of the botnet problem. They investigate the methods of stopping botnets, and identify the following three ways:

1. Prevent systems from being infected: There are a range of existing techniques, including anti-virus software, firewalls, and automatic patching.

2. Directly detect command and control communication among bots and
between bots and controllers:

3. Detect the secondary features of a bot infection such as propagation or attacks.

The focus in this paper is on the second and third methods. It goes on to explain IRC based communication and detection of the command and control mechanisms. Detection is difficult due to the presence of multiple types of command and control models, which include the following:

1. Centralized: With a central controller controlling all other bots. ie. Snowflake model.

2. P2P: A Peer to Peer topology.

3. Random: No single bot knows about more than one other bot. Such systems have very simple design, however the message latency would be high with no guarantee of delivery.

The paper concludes by mentioning that the botnet problem requires collaboration
among researchers to devise hybrid data analysis techniques and collaboration between network operators to more quickly and automatically act on threats. Botnets are a global problem that affects the entire Internet community and requires a community effort to stop them.

GLOSSARY:

1. IRC: Internet Relay Chat
2. CERT: Carnegie Mellon University's Computer Emergency Response Team

Revealing Botnet Membership Using DNSBL Counter-Intelligence

This is a paper by Anirudh Ramachandran, Nick Feamster and David Dagon from the College of Computing at Georgia Institute of Technology. They start by explaining one of the primary contributors to malicious activities on the internet; ie. Botnets. Then they follow it up by describing means of bot and botnet detection mechanisms; mainly focusing on the effectiveness of monitoring lookups to a DNS-based blackhole list (DNSBL) to expose botnet membership.

The authors perform 'counter-intelligence' based on the fact that botmasters (people who own botnets); themselves perform DNSBL lookups to determine whether their spamming bots are a part of the blacklist. The major contributions of this paper as as follows:

1. Passive Heuristics for counter-intelligence: This includes a definition of possible lookup techniques, that botmasters are likely to use to verify whether their bots are blacklisted or not. The key difference here is that the detection schemes described here are covert and do not disrupt botnet activity.

2. Study of DNSBL reconnaissance techniques: The authors study the prevalence of existing techniques of finding out members of a blacklist by analyzing the logs from a mirror of a well-known blackhole list for a 45-day period from November 17, 2005 to December 31, 2005.

3. Identification of new bots: DNSBL queries that are used by botmasters to identify "clean" bots are analyzed to determine patterns.

4. DNSBL-based countermeasures: The heuristics developed by the authors could be used to detect reconnaissance in real-time, which provides potential for active and immediate countermeasures.

The paper then goes on to explain a model for reconnaissance techniques, followed by short descriptions of 3 types of reconnaisance techniques:

1. Self-Reconnaissance

2. Distributed Reconnaissance

3. Third-party Reconnaissance

The paper goes into considerable detail in explaining the tests and methods for analysis used by the authors, and ends by suggesting techniques that DNSBL operators might use to more effectively stem the spam originating from botnets.