research-article

A strategic analysis of spam botnets operations

Authors:

Olivier Thonnard,

Marc DacierAuthors Info & Claims

CEAS '11: Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference

Pages 162 - 171

https://doi.org/10.1145/2030376.2030395

Published: 01 September 2011 Publication History

Abstract

We present in this paper a strategic analysis of spam botnets operations, i.e., we study the inter-relationships among bot-nets through their spam campaigns, and we focus on identifying similarities or differences in their modus operandi. The contributions of this paper are threefold. First, we provide an in-depth analysis which, in contrast with previous studies on spamming bots, focuses on the long-term, strategic behavior of spam botnets as observed through their aggregate spam campaigns. To that end, we have analyzed over one million spam records collected by Symantec.cloud (formerly Message Labs) through worldwide distributed spamtraps. Secondly, we demonstrate the usefulness of emerging attack attribution methodologies to extract intelligence from large spam data sets, and to correlate spam campaigns according to various combinations of different features. By leveraging these techniques relying on data fusion and multi-criteria decision analysis, we show that some tight relationships exist among different botnet families (like Rustock/Grum or Lethic/Maazben), but we also underline some profound differences in spam campaigns performed by other bots, such as Rustock versus Lethic, Bagle or Xarvester. Finally, we use the very same attribution methodology to analyze the recent Rustock take-down, which took place on March 17, 2011. As opposed to previous claims, our experimental results show that Bagle has probably not taken over Rustock's role, but instead, we found some substantial evidence indicating that part of Rustock activity may have been offloaded to Grum shortly after the take-down operation.

References

[1]

G. Beliakov, A. Pradera, and T. Calvo. Aggregation Functions: A Guide for Practitioners. Springer, Berlin, New York, 2007.

Digital Library

[2]

M. P. Collins, T. J. Shimeall, S. Faber, J. Janies, R. Weaver, M. D. Shon, and J. Kadane. Using uncleanliness to predict future botnet addresses. In IMC '07: Proc. of the 7th ACM SIGCOMM conference on Internet measurement, pages 93--104, New York, NY, USA, 2007. ACM.

Digital Library

[3]

Composite Blocking List. http://cbl.abuseat.org.

[4]

M. Cova, C. Leita, O. Thonnard, A. D. Keromytis, and M. Dacier. An Analysis of Rogue AV Campaigns. In Proceedings of the 13th international conference on Recent advances in intrusion detection, RAID'10, pages 442--463, Berlin, Heidelberg, 2010. Springer-Verlag.

Digital Library

[5]

M. Dacier, V. Pham, and O. Thonnard. The WOMBAT Attack Attribution Method: Some Results. In Proc. of the 5th International Conference on Information Systems Security (ICISS 2009), Kolkata, India, Dec 2009.

Digital Library

[6]

B. Fuglede and F. Topsoe. Jensen-shannon divergence and hilbert space embedding. pages 31--, June-2 July 2004.

[7]

H. Husna, S. Phithakkitnukoon, S. Palla, and R. Dantu. Behavior analysis of spam botnets. In COMSWARE, pages 246--253. IEEE, 2008.

[8]

B. Krebs. Rustock Botnet Flatlined, Spam Volumes Plummet. http://krebsonsecurity.com/2011/03/rustock-botnet-flatlined-spam-volumes-plummet/, March 2011.

[9]

F. Li and M.-H. Hsieh. An empirical study of clustering behavior of spammers and group-based anti-spam strategies. In CEAS, 2006.

[10]

T. Mori, H. Esquivel, A. Akella, A. Shimoda, and S. Goto. Understanding Large-Scale Spamming Botnets From Internet Edge Sites. In CEAS, 2010.

[11]

P. Muncaster. V3.co.uk Blog. Bagle fills botnet hole as spam drops by third after Rustock takedown. http://www.v3.co.uk/, March 29, 2011.

[12]

E. Park. Rustock Takedown's Effect on Global Spam Volume. http://www.symantec.com/connect/blogs/rustock-takedown-s-effect-global-spam-volume, March 2011.

[13]

M. Pavan and M. Pelillo. A new graph-theoretic approach to clustering and segmentation. In Proceedings of IEEE Conference on Computer Vision and Pattern Recognition, 2003.

Digital Library

[14]

A. Ramachandran and N. Feamster. Understanding the network-level behavior of spammers. In Proc. of the 2006 conference on applications, technologies, architectures, and protocols for computer communications, SIGCOMM '06, pages 291--302, New York, USA, 2006. ACM.

Digital Library

[15]

R. N. Shepard. Multidimensional scaling, tree fitting, and clustering. Science, 210:390--398, 1980.

[16]

J. Stewart. Top Spam Botnets Exposed. Malware Research, SecureWorks, April 2008. http://www.secureworks.com/research/threats/topbotnets/.

[17]

Symantec Corporation. Symantec Report on Rogue Security Software. http://www.symantec.com/business/theme.jsp?themeid=threatreport, October 2009.

[18]

Symantec.cloud. Messagelabs Intelligence: 2010 Annual Security Report. http://www.messagelabs.com/globalthreats.

[19]

The Wall Street Journal. Spam Network Shut Down. http://online.wsj.com/article/SB10001424052748703328404576207173861008758.html, March 18, 2011.

[20]

O. Thonnard. A multi-criteria clustering approach to support attack attribution in cyberspace. PhD thesis, École Doctorale d'Informatique, Téléecommunications et Électronique de Paris, March 2010.

[21]

O. Thonnard, W. Mees, and M. Dacier. On a multicriteria clustering approach for attack attribution. SIGKDD Explor. Newsl., 12:11--20, November 2010.

Digital Library

[22]

WOMBAT Project. Worldwide Observatory of Malicious Behaviors and Attack Threats. Deliverable D22 (D5.2). Root Causes Analysis: Experimental Report. http://www.wombat-project.eu, May 2011.

[23]

Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov. Spamming botnets: signatures and characteristics. In Proceedings of the ACM SIGCOMM 2008 conference on Data communication, SIGCOMM '08, pages 171--182, New York, NY, USA, 2008. ACM.

Digital Library

[24]

R. Yager. On ordered weighted averaging aggregation operators in multicriteria decision-making. IEEE Trans. Syst. Man Cybern., 18(1):183--190, 1988.

Digital Library

[25]

T. Zink. Has anyone stepped in to fill Rustock's gap? http://blogs.msdn.com/b/tzink/, May 23, 2011.

[26]

T. Zink. Who has taken over as the most prolific botnet since Rustock was taken down? http://blogs.msdn.com/b/tzink/, March 29, 2011.

Cited By

Asadi MJamali MParsa SMajidnezhad V(2020)Detecting botnet by using particle swarm optimization algorithm based on voting systemFuture Generation Computer Systems10.1016/j.future.2020.01.055Online publication date: Feb-2020
https://doi.org/10.1016/j.future.2020.01.055
Lange TKettani H(2019)On Security Threats of Botnets to Cyber Systems2019 6th International Conference on Signal Processing and Integrated Networks (SPIN)10.1109/SPIN.2019.8711780(176-183)Online publication date: Mar-2019
https://doi.org/10.1109/SPIN.2019.8711780
Wickramarathna NUpeksha Ganegoda G(2019)Detecting Automatically Generated Tweets Using Lexical Analysis and Profile Credibility2019 4th International Conference on Information Technology Research (ICITR)10.1109/ICITR49409.2019.9407800(1-6)Online publication date: 10-Dec-2019
https://doi.org/10.1109/ICITR49409.2019.9407800
Show More Cited By

Index Terms

A strategic analysis of spam botnets operations

Recommendations

Spamming botnets: signatures and characteristics

In this paper, we focus on characterizing spamming botnets by leveraging both spam payload and spam server traffic properties. Towards this goal, we developed a spam signature generation framework called AutoRE to detect botnet-based spam emails and ...
Spammers operations: a multifaceted strategic analysis

There is a consensus in the anti-spam community regarding the prevalence of spam botnets and the significant role they play in the worldwide spam problem. Nevertheless, far less attention has been devoted to studying the strategic behavior of spammers ...
Correlation Analysis between Spamming Botnets and Malware Infected Hosts
SAINT '11: Proceedings of the 2011 IEEE/IPSJ International Symposium on Applications and the Internet

Many of recent cyber attacks are being launched by botnets for the purpose of carrying out large-scale cyber attacks such as spam emails, Distributed Denial of Service (DDoS), network scanning and so on. In many cases, these botnets consist of a lot of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

CEAS '11: Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference

September 2011

230 pages

ISBN:9781450307888

DOI:10.1145/2030376

General Chair:
Vidyasagar Potdar
Curtin University, Australia

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 September 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Seventh Framework Programme

Conference

CEAS '11

CEAS '11: The 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference

September 1 - 2, 2011

Perth, Australia

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
717
Total Downloads

Downloads (Last 12 months)25
Downloads (Last 6 weeks)1

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Asadi MJamali MParsa SMajidnezhad V(2020)Detecting botnet by using particle swarm optimization algorithm based on voting systemFuture Generation Computer Systems10.1016/j.future.2020.01.055Online publication date: Feb-2020
https://doi.org/10.1016/j.future.2020.01.055
Lange TKettani H(2019)On Security Threats of Botnets to Cyber Systems2019 6th International Conference on Signal Processing and Integrated Networks (SPIN)10.1109/SPIN.2019.8711780(176-183)Online publication date: Mar-2019
https://doi.org/10.1109/SPIN.2019.8711780
Wickramarathna NUpeksha Ganegoda G(2019)Detecting Automatically Generated Tweets Using Lexical Analysis and Profile Credibility2019 4th International Conference on Information Technology Research (ICITR)10.1109/ICITR49409.2019.9407800(1-6)Online publication date: 10-Dec-2019
https://doi.org/10.1109/ICITR49409.2019.9407800
Andriotis PTakasu A(2018)Emotional Bots: Content-based Spammer Detection on Social Media2018 IEEE International Workshop on Information Forensics and Security (WIFS)10.1109/WIFS.2018.8630760(1-8)Online publication date: Dec-2018
https://doi.org/10.1109/WIFS.2018.8630760
Morstatter FWu LNazer TCarley KLiu HSubrahmanian VRokne JKumar RCaverlee JTong H(2016)A new approach to bot detectionProceedings of the 2016 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining10.5555/3192424.3192525(533-540)Online publication date: 18-Aug-2016
https://dl.acm.org/doi/10.5555/3192424.3192525
Marciel MCuevas RBanchs AGonzález RTraverso SAhmed MAzcorra ABourdeau JHendler JNkambou RHorrocks IZhao B(2016)Understanding the Detection of View Fraud in Video Content PortalsProceedings of the 25th International Conference on World Wide Web10.1145/2872427.2882980(357-368)Online publication date: 11-Apr-2016
https://dl.acm.org/doi/10.1145/2872427.2882980
Morstatter FWu LNazer TCarley KLiu H(2016)A new approach to bot detection: Striking the balance between precision and recall2016 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM)10.1109/ASONAM.2016.7752287(533-540)Online publication date: Aug-2016
https://doi.org/10.1109/ASONAM.2016.7752287
Lombardi FDi Pietro R(2016)Heterogeneous Architectures: Malware and CountermeasuresSecure System Design and Trustable Computing10.1007/978-3-319-14971-4_13(421-438)Online publication date: 2016
https://doi.org/10.1007/978-3-319-14971-4_13
Sanatinia ANoubir G(2015)OnionBotsProceedings of the 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks10.1109/DSN.2015.40(69-80)Online publication date: 22-Jun-2015
https://dl.acm.org/doi/10.1109/DSN.2015.40
Khan WKhan MBin Muhaya FAalsalem MChao H(2015)A Comprehensive Study of Email Spam Botnet DetectionIEEE Communications Surveys & Tutorials10.1109/COMST.2015.245901517:4(2271-2295)Online publication date: Dec-2016
https://doi.org/10.1109/COMST.2015.2459015
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents