Bots Used to Facilitate Spam

1
Bots Used to Facilitate Spam

• Matt Ziemniak

2
Outline

• Discuss Snort lab improvements
• Spam as a vehicle behind cyber threats
• Bots and botnets
• What can be done

3
Lab Improvements

• Build more complex rules
• Provide more interaction with snort.conf file and
  installation
• Explain how snort works in real-world setting
• Make both labs snort-related

4
Cyber-related Crimes

• Phishing
• Spyware
• Nigerian scams
• Child pornography

5
Why Spam is an Issue

• Loss of employee production
• Money spent on hardware/software
• Dissemination of viruses, spyware, and phishing
  schemes

6
Spam- Distribution in the Past

• Open relay mail servers
• Open HTTP proxies
• Worms/mass mailers

7
Spam- A Better Method

• Find a way to automate the spamming process while
  remaining anonymous

BOTS
8
What is a Bot

• Short for robot. A computer program that
  performs a function such as forwarding e-mail,
  responding to newsgroup messages, or searching
  for information.
• Source http//www.computeruser.com/resources/dict
  ionary

9
Common uses for a Bot

• Web crawlers/search agents
• Interacting with online games
• Monitoring IRC channels
• Only limited by imagination

10
Malicious Bots

• Keylogging
• Denial-of-Service Attacks
• Identity Theft (hosting spoofed websites)
• Spread malware
• GENERATE SPAM!

11
Types of Bots

• Internet Relay Chat (IRC)
• Hyper-Text Transfer Protocol (HTTP)
• P2P (Peer-to-Peer file sharing)

12
What is IRC

• An online system that allows real-time
  communications
• Consists of an IRC server and an IRC client the
  connection between the two is called a channel
• Members join chat rooms to discuss various topics
  (may be password protected)
• Can be used for file sharing

13
IRC Bots

• Program that interacts with an IRC server in an
  automated fashion
• Typically used to monitor a channel when an
  individual is away from the computer
• Can be modified by anyone with programming skills
  (C, PERL, DELPHI )
• IRC has its own scripting language

14
From Bots to Botnets

• An individual gains control of many bots that
  reside on different users computers
• Controlled by a bot master who uses a
  command/control
• The bots connect to the IRC server and wait for
  commands from the bot master

Bot Master
Bot
Bot
Bot
15
HTTP Bots

• Commonly used to generate spam
• User typically visits website and downloads a
  trojan or other piece of malware
• Connection is made to a web server operated by a
  bot master
• More software is downloaded onto users computer

16
HTTP Botnet Infection
Browser Exploit
Trojan Download
Bot ClientDownloaded
17
Methods to spam

• Use compromised computer as spam proxy
• Use compromised computer as mail relay
• Obtain email addresses from compromised computer
  (harvesting)

18
Difficult to Trace Origin

• HTTP redirects
• Path to actual site leads to IPs across
  different countries (bouncing)
• Compromised proxies dont log connections
• Tank farms act like middlemen by pushing the spam
  through proxies

19
Growing Concern

• "At the end of last year we knew of about 2,000
  botnets. Towards the end of this year, we're
  looking at about 300,000,".
• Source Jesse Villa, Frontbridge Technologies
• http//www.pcworldmalta.com/specials/yearend04/goo
  dandbad.htm.

20
Importance of Research

• Gathering intelligence regarding botnet activity
• Use tools such as honeypots, intrusion detection
  systems, packet sniffers
• Perform trends analysis on data, source
  information, log files (firewall and IDS)

21
How Industry can Help

• Educate employees
• Increase security measures
• Develop security products
• Share information and resources

22
Questions