cleaning up after the nr 3 spam botnet and the worst
play

Cleaning up after the Nr 3 SPAM botnet and the worst prefix By Erik - PowerPoint PPT Presentation

Feb 27, 2024 •44 likes •314 views

Cleaning up after the Nr 3 SPAM botnet and the worst prefix By Erik Bais RIPE75 October, 2017 1 A bit of background Taking down of the largest GRUM bot network A nice read about this whole story :

  1. Cleaning up after the Nr 3 SPAM botnet and the worst prefix By Erik Bais – RIPE75 October, 2017 1

  2. A bit of background Taking down of the largest GRUM bot network • A nice read about this whole story : https://krebsonsecurity.com/2012/07/top-spam-botnet-grum- unplugged/ • Once a botnet is down, you can see the effects of that botnet (when it has the size of GRUM) in the global spam effects.. 2

  3. Stats of Grum during July – 2012 till shutdown Source: Symantec Message Labs 3

  4. Taking over the IP’s of a C&C … • When all the C&C’s where down, we got access to the ‘GRUM’ IP’s. • And even better .. The actual server was shutdown, but not wiped. ;-) • We wipe the server (after a backup) and setup a secure sinkhole for the zombie’s … 4

  5. Target : Cleaning the zombie’s • Taking down the C&C’s and the botnet will leave a lot of infected PC’s (zombies) … dormant .. • How do you clean those zombies ? • We opted for reporting to the ISP’s per unique connection to the C&C IP’s with a signature.. Once per day .. And later per hour .. • Not all malware has a reliable ‘kill / un-install switch’ and you don’t want to be held responsible for that .. 5

  6. Initial stats by Country and Unique IP’s (Grum) 6

  7. Weather maps of the stats - GRUM 7

  8. So how did we do this ? • Once we had access to the C&C IP’s, we worked together with ISC SANS and Shadowserver for building the right infra for a new feed. • No need to build your own Abuse reporting infra .. Shadowserver already has this infrastructure in place !! • And a lot of ISP’s already parse their messages … 8

  9. Running the feeds • Running the feeds means you would expect some clean-up in the numbers … • Not exactly … ok.. Some improvements .. But not a lot .. 9

  10. The down-side of opt-in reporting • Shadowserver only reports to ISP’s that wanted to receive their messages.. • Yes, those reports are : opt-in .. • So we discussed the approach with Abusix and they suggested the following : – Report each hour on each unique IP connection.. Instead of each day.. – Use abuse mailbox info in the IRR DB’s and send each hour in x-arf. 10

  11. More stats – September 2012 • +---------------------+--------+------+-------------+------------+-------------+-------------+ • | timestamp | source | tag | connections | unique_ips | unique_asns | unique_geos | • +---------------------+--------+------+-------------+------------+-------------+-------------+ • | 2012-09-16 00:00:00 | drones | grum | 1518703 | 87654 | 2161 | 175 | • | 2012-09-15 00:00:00 | drones | grum | 1685809 | 93043 | 2231 | 178 | • | 2012-09-14 00:00:00 | drones | grum | 1819142 | 102839 | 2539 | 185 | • | 2012-09-13 00:00:00 | drones | grum | 1785254 | 105531 | 2603 | 186 | • | 2012-09-12 00:00:00 | drones | grum | 1809333 | 106376 | 2626 | 183 | • | 2012-09-11 00:00:00 | drones | grum | 1874680 | 107011 | 2646 | 185 | • | 2012-09-10 00:00:00 | drones | grum | 1804284 | 106289 | 2635 | 184 | • | 2012-09-09 00:00:00 | drones | grum | 1708316 | 94092 | 2249 | 182 | • | 2012-09-08 00:00:00 | drones | grum | 1720786 | 98288 | 2277 | 177 | • | 2012-09-07 00:00:00 | drones | grum | 1710694 | 106210 | 2534 | 186 | • +---------------------+--------+------+-------------+------------+-------------+-------------+ 11

  12. Results in November 2012 !! • +---------------------+--------+------+-------------+------------+-------------+-------------+ • | timestamp | source | tag | connections | unique_ips | unique_asns | unique_geos | • +---------------------+--------+------+-------------+------------+-------------+-------------+ • | 2012-11-13 00:00:00 | drones | grum | 1200093 | 69840 | 1929 | 173 | • | 2012-11-12 00:00:00 | drones | grum | 1245087 | 69446 | 1916 | 171 | • | 2012-11-11 00:00:00 | drones | grum | 1191635 | 64081 | 1680 | 167 | • | 2012-11-10 00:00:00 | drones | grum | 1159224 | 66043 | 1724 | 173 | • | 2012-11-09 00:00:00 | drones | grum | 1160222 | 71957 | 1946 | 173 | • | 2012-11-08 00:00:00 | drones | grum | 1242629 | 72832 | 1985 | 168 | • | 2012-11-07 00:00:00 | drones | grum | 1261095 | 74043 | 1995 | 172 | 12

  13. The Level3 abuse desk ‘issue’ • The sinkhole hoster almost got shutdown by their upstream because they didn’t matched the reports correctly to their ‘offending’ customers • They thought the sinkhole was the source of the issue .. • This took a couple days to understand the issue and to fix the reporting. – Lesson learned : don’t include the sinkhole IP in the abuse reports. 13

  14. A huge shout out to : 14

  15. Next challenge : the ‘dirtiest’ prefix … • After the experience with the GRUM botnet … we had the opportunity to buy the LIR with IP space from a Dutch bulletproof hoster … • The person running the hoster, was just released by the Dutch Police … and was planning to sell his IP space. • It looked like a proper challenge to get that IP space usable again … 15

  16. How bad was it ? • The IP space was blacklisted listed for several years .. Due to known abuse .. • On SBL .. ( over 75 times .. For the actual /19 and many /32 and /24’s ) • On DROP .. ( Is anyone actually using this ?? ) • and that was just on Spamhaus .. But also on many other RBL’s and lists. 16

  17. Approach • Get full ownership of the LIR. • Change all references from the previous holder to the new holder. • Build a new sinkhole. • Start routing the IP’s to the sinkhole … • See what we find … we might get lucky … 17

  18. Hoping for the jackpot 18

  19. The logs revealed … 12 C&C’s • GRUM bot zombies .. ( I wonder how we found these.. J ) • Citadel zombies • Alina zombies • Black Energy • Fake AV 19

  20. Happy happy joy joy 20

  21. Now what ? • See if anyone is actually null-routing traffic to the specific prefix ..? • RIPE Atlas was a great help in finding any routing issues like SH DROP filtering for instance. • Contacting the RBL owners to de-list the prefix .. 21

  22. Initial replies from the RBL’s 22

  23. Explain it again with more logic … • Show them what we are doing .. • Show initial results of the sinkhole .. • Kindly explain that we can´t (and won’t) be held hostage or accountable from someone elses actions or lack of that.. • Receive kind replies : 23

  24. Selling the IP Space • The new owner knew which IP space he was buying and the reputation of the original owner … Transparency is key .. • They knew upfront about our efforts to clean up the space and the sinkhole. • The sinkhole was provided along with the feeds to Shadowserver and Abusix after the IP transfer. • The buyer wanted to purchase the IP space ‘over time’ … 24

  25. Lessons learned : “ Almost all IP ranges can be cleaned .. But some historic issues, take a HUGE amount of time/effort to clean. And some people would be more than happy to help you.. You might be able to get a good deal as long as you don’t mind null-routing some of the old C&C IP’s in a /19 or so. 25

  26. Any questions ? ??

  27. THANK YOU ADDRESS EMAIL PHONE De Hoefsmid 13 sales@prefixbroker.net +31 85 902 0417 1851PZ Heiloo The Netherlands Feel free to contact us if you have any questions 27

Recommend

Spam, Spam, Spam Why is spam interesting? Everyone can observe spam. Spam / Anti-spam is a

Spam, Spam, Spam Why is spam interesting? Everyone can observe spam. Spam / Anti-spam is a

Spam, Spam, Spam Why is spam interesting? Everyone can observe spam. Spam / Anti-spam is a highly evolved form of information warfare. Fascinating socioeconomic study with many players - users, ISPs, spammers, technologists, legal

322 views • 17 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
Workflow basics, RMarkdown, git/Github Cleaning up Cleaning up Cleaning up Cleaning up

Workflow basics, RMarkdown, git/Github Cleaning up Cleaning up Cleaning up Cleaning up

Workflow basics, RMarkdown, git/Github Cleaning up Cleaning up Cleaning up Cleaning up Cleaning up Cleaning up Don't worry, your history is preserved Settings Cleaning up Cleaning up Lots more options! RMarkdown Structure of an Rmd

656 views • 50 slides
Spam Fighting at CERN 28 April 2004 Emmanuel Ormancey 1 What is Spam ? What is Spam ? Spam

Spam Fighting at CERN 28 April 2004 Emmanuel Ormancey 1 What is Spam ? What is Spam ? Spam

Spam Fighting at CERN 28 April 2004 Emmanuel Ormancey 1 What is Spam ? What is Spam ? Spam is the friendly name given to unsolicited mail everyone receives in the mailbox. Comes from a Monty Python sketch, where in a caf everything

505 views • 13 slides
Opinion Spam and Analysis NITIN JINDAL & BING LIU, WSDM 08 UIUC Opinion/Review Spam All

Opinion Spam and Analysis NITIN JINDAL & BING LIU, WSDM 08 UIUC Opinion/Review Spam All

Opinion Spam and Analysis NITIN JINDAL & BING LIU, WSDM 08 UIUC Opinion/Review Spam All spam is spam but some spam is more spam than others Opinion spam similar to web spam or email spam in intent, but different in form / content Web

912 views • 38 slides
BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic New different approche for sending spam Basing on reputation of email providers Difficult to detect signup detection monitoring users' activity

157 views • 15 slides
The CAN-SPAM Act of 2003 D E C E M B E R 2 0 0 3 THE CAN-SPAM ACT OF 2003 Status of Legislation

The CAN-SPAM Act of 2003 D E C E M B E R 2 0 0 3 THE CAN-SPAM ACT OF 2003 Status of Legislation

The CAN-SPAM Act of 2003 D E C E M B E R 2 0 0 3 THE CAN-SPAM ACT OF 2003 Status of Legislation When Congress returns from recess on December 8, 2003, it will finish its work on the CAN-SPAM Act of 2003 (Controlling the Assault of

323 views • 4 slides
Link Spam Alliances Zoltn Gyngyi Hector Garcia-Molina Class List Spam 101 Intro to

Link Spam Alliances Zoltn Gyngyi Hector Garcia-Molina Class List Spam 101 Intro to

Link Spam Alliances Zoltn Gyngyi Hector Garcia-Molina Class List Spam 101 Intro to web spam Spam 221 Spamming PageRank Spam farm model Optimal farm structure Alliances of two farms Larger alliances Spam

876 views • 30 slides
Web Spam Dr. Marc Spaniol Dr. Marc Spaniol Saarbrcken, June 24, 2010 Databases and

Web Spam Dr. Marc Spaniol Dr. Marc Spaniol Saarbrcken, June 24, 2010 Databases and

Web Dynamics Web Spam Web Spam Dr. Marc Spaniol Dr. Marc Spaniol Saarbrcken, June 24, 2010 Databases and Information Systems Prof. Dr. G. Weikum MPII-Sp-0710-1/49 Agenda Web spam - Why and what? Web Spam - Spam taxonomy

669 views • 49 slides
Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet Botmaster Hosted infrastructure HTTP proxies HTTP Proxy Infected machines bots TCP Workers The Storm botnet Botmaster Hosted infrastructure HTTP

517 views • 31 slides
Web Spam Marc Spaniol Marc Spaniol Saarbrcken, July 23, 2009 Databases and Information

Web Spam Marc Spaniol Marc Spaniol Saarbrcken, July 23, 2009 Databases and Information

Web Dynamics Web Spam Web Spam Marc Spaniol Marc Spaniol Saarbrcken, July 23, 2009 Databases and Information Systems Prof. Dr. G. Weikum MPII-Sp-0709-1/49 Agenda Web spam - Why and what? Web Spam - Spam taxonomy Overview

806 views • 49 slides
A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet . Coordination of f bots with C&C server Bots query the

1k views • 58 slides
Detecting Product Review Spammers using Rating Behaviors Itay Dressler What is Spam? Why

Detecting Product Review Spammers using Rating Behaviors Itay Dressler What is Spam? Why

Detecting Product Review Spammers using Rating Behaviors Itay Dressler What is Spam? Why should you care? How to detect Spam? 2 What is Spam? What is Spam? All forms of malicious manipulation of user generated data so as to

943 views • 56 slides
Web Spam Know Your Neighbors: Web Spam Detection using the Web Topology Presenter: Sadia Masood

Web Spam Know Your Neighbors: Web Spam Detection using the Web Topology Presenter: Sadia Masood

Seminar: Future Of Web Search University of Saarland Web Spam Know Your Neighbors: Web Spam Detection using the Web Topology Presenter: Sadia Masood Tutor : Klaus Berberich Date : 17-Jan-2008 The Agenda Focus of the First Paper

1.22k views • 53 slides
spam, ham and other food or how to distribute spam to 100k email addresses Who am I? Debian

spam, ham and other food or how to distribute spam to 100k email addresses Who am I? Debian

spam, ham and other food or how to distribute spam to 100k email addresses Who am I? Debian Developer since 2003 Listmaster Alioth Admin Maintainer of packages like iproute, icinga, nagios and a lot of other useless stu ff

219 views • 20 slides
Cleaning Search Results using Term Distance Features Josh Attenberg, Torsten Suel Polytechnic

Cleaning Search Results using Term Distance Features Josh Attenberg, Torsten Suel Polytechnic

Cleaning Search Results using Term Distance Features Josh Attenberg, Torsten Suel Polytechnic University Brooklyn, NY 11201 Sophisticated Spam Weaving: inserting spammed terms through out an existing text Phrase Stitching: diverse

375 views • 12 slides
Machine Learning in Spam Filtering A Crash Course in ML Konstantin Tretyakov kt@ut.ee

Machine Learning in Spam Filtering A Crash Course in ML Konstantin Tretyakov kt@ut.ee

Machine Learning in Spam Filtering A Crash Course in ML Konstantin Tretyakov kt@ut.ee Institute of Computer Science, University of Tartu Overview Spam is Evil ML for Spam Filtering: General Idea, Problems. Some Algorithms Nave Bayesian

391 views • 35 slides
Equipment Cleaning for Drug Products www.gmpsop.com 1 Scope and General Types of Cleaning

Equipment Cleaning for Drug Products www.gmpsop.com 1 Scope and General Types of Cleaning

Equipment Cleaning for Drug Products www.gmpsop.com 1 Scope and General Types of Cleaning Product Contact Equipment , both Major and Minor , shall be cleaned and shall include : Changeover Cleaning ; Interval Cleaning* ;

1.04k views • 88 slides
Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Botnet Analysis & Defense Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts (bots) coordinated via a command and control center (C&C). The perpetrator is usually called a botmaster.

409 views • 11 slides
Dry-ice (CO 2 -snow) Cleaning - Motivation - Cleaning mechanism, technique & apparatus - Nb

Dry-ice (CO 2 -snow) Cleaning - Motivation - Cleaning mechanism, technique & apparatus - Nb

Dry-ice (CO 2 -snow) Cleaning - Motivation - Cleaning mechanism, technique & apparatus - Nb cavity results - Copper rf gun cleaning - Summary, open topics + next steps Detlef Reschke, Arne Brinkmann IWLC-2010, Oct. 21st, 2010 Motivation

647 views • 16 slides
x 2 > b w T x > 0 SPAM!! x ( x , 1) w 3 x 3 w T x + b ( w , b ) T ( x , 1)

x 2 > b w T x > 0 SPAM!! x ( x , 1) w 3 x 3 w T x + b ( w , b ) T ( x , 1)

A neuron (or how our brains work) Linear models Subhransu Maji CMPSCI 670: Computer Vision November 3, 2016 Neuroscience 101 CMPSCI 670 Subhransu Maji (UMASS) 2 Perceptron Example: Spam Input are feature values Imagine 3 features (spam

682 views • 8 slides
Spam Filtering with Naive Bayes Classifier Yuriy Arabskyy June 6, 2017 Table of contents What

Spam Filtering with Naive Bayes Classifier Yuriy Arabskyy June 6, 2017 Table of contents What

Spam Filtering with Naive Bayes Classifier Yuriy Arabskyy June 6, 2017 Table of contents What is spam? Different spam types Anti-Spam Techniques Probability theory basics Conditional probability Bayes Theorem Naive Bayes Theorem Spam

1.04k views • 27 slides
The 10 Worst Presentation Habits Speakers can be their own worst enemies. Here are our expert's

The 10 Worst Presentation Habits Speakers can be their own worst enemies. Here are our expert's

The 10 Worst Presentation Habits Speakers can be their own worst enemies. Here are our expert's tips on how to make a presentation sing By Carmine Gallo - BusinessWeek As a communications coach for some of America's most admired companies, I work

603 views • 3 slides

More recommend