Friday, March 23, 2007

Unusual E-mail Activity

I've been noticing unusual e-mail activities at my nyu account. 3-4 tomes in the past month I've got 'MAILER-DAEMON' failure notice e-mail when I've not send mails at those addresses.

An example is :

Subject failure notice
Hi. This is the qmail-send program at mail.yifansoft.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

:
Sorry, no mailbox here by that name. vpopmail (#5.1.1)



So, have other people also been getting such emails too ?
And what could these signify ?

Monday, March 19, 2007

Can DNS Blacklists keep up with Bots

This is a short paper by Anirudh Ramachandran, David Dagon and Nick Feamster of the College of Computing at the Georgia Institute of Technology. This paper tries to conduct an evaluation of the effectiveness and responsiveness of DNS blacklists, in blocking spam.

According to the authors, DNSBL was an effective method when spammers were less agile. However, these days with the use of automated botnets for sending spam, spam is being sent from a much larger number of IP addresses and each host is relatively transient in nature. This transience requires that the blacklists be highly responsive in nature.

The paper goes on to explain an experiment and then provides a report on the preliminary tests. They conclude that, over 60% of the lookups were looked up by just one domain and around 10% of bots generate lookups from a large number of distince domains and only 5% out of them are blacklisted.

Monday, March 12, 2007

A Short Visit to the Bot Zoo

A short paper by Elias Levy and Ivan Arce.

This paper starts by explaining the origin and evolution of bots into their current state. It further goes on to explain the bot characteristics and explains how bots work essentially by means of a remote control mechanism.

It further goes on to explain botnet topologies, such as centralized, P2P and random. It mentions that the typical functions that happen over remote control networks are either DoS attacks or updates. The remote control facility and the commands that can be executed from it differentiate a bot from a worm, a program that propagates itself by attacking other systems and copying itself to them.

It further goes on to explain the various types of bots along with short descriptions of each.

A Multifaceted Approach to Understanding the Botnet Phenomenon

This paper is written by Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose and Andreas Terzis from the Computer Science Department of Johns Hopkins University. The authors attempt to clear the fog surrounding botnets by constructing a multifaceted and distributed measurement infrastructure. Throughout a period of more than three months , they used the infrastructure to track 192 unique IRC botnets of size ranging from a few hundred to several thousand infected end-hosts.

The paper makes the two key contributions, namely:

1. the development of an infrastructure to capture and concurrently track multiple botnets, and

2. a comprehensive analysis of measurements reflecting several important structural and behavioral aspects of botnets.

The second section of the paper provides background information on botnets and highlights the challenges associated with botnet detection and tracking.

TheThe approach the authors have developed to infiltrate large numbers of botnets has been described in seciton 3, and an approach for extracting binaries collected using our distributed infrastructure.

Section 4 provides with an analysis of the collected data.

To conclude, the following results are provided by the paper:

1. Traffic traces captured at the local darknet over a period of more than three months.

2. IRC logs gathered over the span of three months - covering data from more than 100 botnet channels either visited by the IRC tracker or observed on the honeypot

3. results of DNS cache hits from tracking 65 IRC servers for more than 45 days.

Sunday, March 11, 2007

The Zombie Roundup: Understanding, Detecting and Disrupting Botnets

In this paper the authors outline the origins and structure of bots and botnets and use data from the operator community, the Internet Motion Sensor project, and a honeypot experiment to illustrate the botnet problem today. They then study the effectiveness of detecting botnets by directly monitoring IRC communication or other command and control activity and explain that a more comprehensive approach is required. They conclude by describing a system to detect botnets that utilize advanced command and control systems by correlating secondary detection data from multiple sources.

The paper starts by trying to quantify the problem of botnets, simply by giving an account of the numbers involved. According to the statistics provided, the number of new bots observed each day rose from less than 2,000 to more than 30,000 over the first six months of 2004. The total number of bot infected systems has been measured to be between 800,000 to 900,000 and CERT has described botnets with more than 100,000 members.

In this paper the authors have tried to emphasize on the quickly evolving nature and gravity of the botnet problem. They investigate the methods of stopping botnets, and identify the following three ways:

1. Prevent systems from being infected: There are a range of existing techniques, including anti-virus software, firewalls, and automatic patching.

2. Directly detect command and control communication among bots and
between bots and controllers:

3. Detect the secondary features of a bot infection such as propagation or attacks.

The focus in this paper is on the second and third methods. It goes on to explain IRC based communication and detection of the command and control mechanisms. Detection is difficult due to the presence of multiple types of command and control models, which include the following:

1. Centralized: With a central controller controlling all other bots. ie. Snowflake model.

2. P2P: A Peer to Peer topology.

3. Random: No single bot knows about more than one other bot. Such systems have very simple design, however the message latency would be high with no guarantee of delivery.

The paper concludes by mentioning that the botnet problem requires collaboration
among researchers to devise hybrid data analysis techniques and collaboration between network operators to more quickly and automatically act on threats. Botnets are a global problem that affects the entire Internet community and requires a community effort to stop them.

GLOSSARY:

1. IRC: Internet Relay Chat
2. CERT: Carnegie Mellon University's Computer Emergency Response Team

Revealing Botnet Membership Using DNSBL Counter-Intelligence

This is a paper by Anirudh Ramachandran, Nick Feamster and David Dagon from the College of Computing at Georgia Institute of Technology. They start by explaining one of the primary contributors to malicious activities on the internet; ie. Botnets. Then they follow it up by describing means of bot and botnet detection mechanisms; mainly focusing on the effectiveness of monitoring lookups to a DNS-based blackhole list (DNSBL) to expose botnet membership.

The authors perform 'counter-intelligence' based on the fact that botmasters (people who own botnets); themselves perform DNSBL lookups to determine whether their spamming bots are a part of the blacklist. The major contributions of this paper as as follows:

1. Passive Heuristics for counter-intelligence: This includes a definition of possible lookup techniques, that botmasters are likely to use to verify whether their bots are blacklisted or not. The key difference here is that the detection schemes described here are covert and do not disrupt botnet activity.

2. Study of DNSBL reconnaissance techniques: The authors study the prevalence of existing techniques of finding out members of a blacklist by analyzing the logs from a mirror of a well-known blackhole list for a 45-day period from November 17, 2005 to December 31, 2005.

3. Identification of new bots: DNSBL queries that are used by botmasters to identify "clean" bots are analyzed to determine patterns.

4. DNSBL-based countermeasures: The heuristics developed by the authors could be used to detect reconnaissance in real-time, which provides potential for active and immediate countermeasures.

The paper then goes on to explain a model for reconnaissance techniques, followed by short descriptions of 3 types of reconnaisance techniques:

1. Self-Reconnaissance

2. Distributed Reconnaissance

3. Third-party Reconnaissance

The paper goes into considerable detail in explaining the tests and methods for analysis used by the authors, and ends by suggesting techniques that DNSBL operators might use to more effectively stem the spam originating from botnets.

Wednesday, February 28, 2007

A Crawler-based study of Spyware on the Web

This paper examines the threat of malicious spyware from an Internet perspective. The researchers performed a study of the Web using a crawler on executables and conventional Web pages for malicious objects.

In order to determine the spyware infected executables in the Web, they first determined whether a Web object contains executable software, then downloading, installing and executing the software on a virtual machine and finally analyzing whether the installation or the execution of the software caused a spyware infection.

They also talked about the types of spywares found such as Adware, keyloggers, Trojan downloaders, browser hijackers, dialers.

Certain defense mechanisms against spware such as signature-based tools and blacklisting were discussed in detail.
Signature-based anti-spyware tool is one of the most common defenses. It compares a database of spyware signatures to files and processes running on a client computer, it can detect when the computer is infected with known spyware programs.
Blacklisting: To keep a check on spyware, black-lists which contained URL’s or domain those are suspected to contain spyware. Hence easier for a firewall or proxy to block clients from accessing listed slides.


Then it goes on to explain Drive-by download attack, its infrastructure, point it originates, the infections it causes and the effect it has on FireFox browser.
· A Drive-by download is a program that is automatically downloaded to the user’s computer, often without the users consent or knowledge. It replaces the user's home page and changes browser settings.
· It occurs when a victim visits a Web page with malicious content.
· They examined URLS from eight different Web categories and calculated the fraction of URLs and domains that were infectious in each. They found that there were no drive-by download attacks in either “kids ”or ”news” sites whereas more attacks on the “pirate” sites.


Glossary
· A web crawler is a program or automated script which browses the WWW in a methodical, automated manner. It’s a type of bot or software agent. As the crawler visits the URLs, it identifies all the hyperlinks in the page and adds them to the list of URLs to visit.

Honeypot Systems

A Virtual Honeypit Framework - Niels Provos

Let us understand the concept of Honeypot in real life. Imagine a pot of honey lying uncovered. What do you expect will happen ? Naturally, bees will be attracted to it.

So, here the honey filled pot is the dummy computer which is used to lure the bees which can be any of the malicious codes from worms to spam mails. We want to study the way these 'bees' are attracted to the honey to learn more about them and their behaviour. The more we know about something, the better our defences against it.

So honeypot is not exactly a new invention. It has been widely used in computer security for a while now. Then you may ask what is the point of this paper ?

Well, the problem with honeypots are that they are expensive and tiem consuming. Hence the need for virtual honeypots - Honeyd.

Honeyd creates virtual honeypot networks. A virtual honeypot is simulated by another machine that responds to network traffic send to it. The system simulates TCP and UDP services and is used to simulate only the network stack section of the OS.

Design and Implementation:

i) Receiving Network Data : The architecture is based in such a way that all the virtual honeypots report to the Honeyd. Honeyd will only reply to those network packets which have destination IP address as the simulated honeypots.

ii) Architecture : It consists of various components - configuration database, a central packet dispatcher, protocol handlers, personality engine and optional routing component.

iii) Personality Engine : Adversaries are ever adapting and getting cleverer as their detection techniques get better. Any common fingerprinting tool like Xprobe or Nmap can look up a honeypot and establish it to be a dummy. Therefore we need to simulate network behaviour of a given operating system. It changes the options and other parameters of TCP header to match behaviour of network stacks.

iv) Routing Topology : We need to simulate routing topologies to decieve adversaries. We create a virtual routing topology and split it using GRE to tunnel networks. This allows load balancing.

Potential applications for Honeyd include network decoys, detecting and countering worms and spam prevention.

In conclusion, a regular PC can simulate thousands of honeypots using Honeyd, thereby reducing the expense and time component greatly.

Understanding the Network Level Behaviour of Spammers

A paper by Anirudh Ramachandran and Nick Feamster.

This paper studies the network level behaviour of spammers, including: IP address ranges that send the most spam, common spamming modes, persistence of each spamming host across time and characteristics of botnets sending spam. It is very descriptive in nature and gives a good background of previous related work in this area.

The researchers studied and analyzed a 17 month trace of over 10 million spam messages collected from the internet by creating what they call a "spam sinkhole". They then correlated this data with the results of IP-based blacklist lookups, routing information and botnet "command and control" traces.

Towards the goal of developing techniques for designing more robust network-level spam filters, the researchers attempt to characterize the network level behaviour of spammers as observed at at the "spam sinkhole" created by them for testing purposes; with complete logs of all spam received from August 2004 through December 2005.

It goes on to explain the previous work which has been done in this field and explains spamming methods and mitigation techniques for the same. Reading these parts proves extremely useful as one gets a good insight into the topic being dealt with.

The paper further goes on to explain the method used for collecting data by the "sinkhole". The researchers had configured the sinkhole to accept all mail, regardless of the username it was destined for, and also to gather the network-level properties about the mail relay from which spam is received. The following information is collected about the mail relay once spam is received:

1. The IP address of the relay that established a connection to the sinkhole when the spam was received.

2. A traceroute to that IP address, to estimate the network location of the mail relay

3. a passive "p0f" TCP fingerprint, based on the properties of the TCP stack, to allow them to determine the operating system of the mail relay.

4. The result of a DNS blacklist lookups for that mail relay at eight different mail relays.

The paper then goes on to present the collected data in various formats and to derive a set of conclusions, which are listed as follows:

1. The vast majority of received spam arrives from a few concentrated portions of IP address space.

2. Most received spam is sent by windows hosts. Most bots sending spam are active for a simgle time period of less than two minutes.

3. A small sets of spammers continually use short-lived route announcements to remain untraceable.

Tuesday, February 13, 2007

What if a computer lies?

Merin George, Nishank Modi and Ankur Bhamri
(under guidance of Prof. L. Subramanian)

Welcome to our blog! Please register with blogspot so I can add you to the list of people who can contribute here.

Cheers.