EPL682 82 – Advance ced d Security ty Topics Paper Reviews Name: Ioannis Yiangou Instructor: Dr. Elias Athanasopoulos Date: 27 February 2020
Term: rm: Irrelevant online content sent to numerous users Forms: rms: Emails, Social Media posts Goal al: Lure unsuspecting users to “read” it Purpose: pose: Advertising, spreading malware, phishing Moti tivation ation: : Great research interest in studying SPAM ◦ mechanisms, defenses, behavior, trends etc. 2 papers studying SPAM, as propagated by two major mediums: ◦ “ Spamalytics: An Empirical Analysis of Spam Marketing Conversion” Email il SPAM AM ◦ “ @spam: The Underground on 140 Characters or Less” Soci cial Media ia SPAM (post sts/twe /tweets ets on on Twit itter) ter)
Focus: E-mail SPAM
Spam structure is “unclear”: Not much is known about cost to send, conversion rate or profit ◦ REASON ON: “Underground” nature ◦ No transaction evidences Spammers do not fill formal financial reports anywhere Campaigns act entirely online etc. SOLUTION: UTION: Become a spammer yourself! ◦ Build an e-commerce site & market it via spam Record sales Conversion rate (how many “ads” turned to “purchases”) Become a convincing spammer Use technologies used by spammers utilize botnets for email distribution affect proxy responses etc. Botne net Infiltrati tration on: ◦ Authors used an existing botnet to use a part of its spam Redirected users to their own (harmless) servers, instead Took measurements
“Storm” Bot otnet ◦ Peer-to to-peer eer botnet with available spam agents ◦ Propagat agates es spam: directs users to download executables from a specified web site o Hiera rarch chy: y: Worker bots: Request works from higher levels Receive orders & send spam Proxy bots: Link Workers w/ Master servers Give status reports Master Servers: Directed by the Bot Master Give commands, workloads Interpret status reports
Spam am workloa kload models: dels: ◦ “ Orders” given to Worker bots, by Master servers ◦ Forwarded by proxies ◦ Characteristics: Spam m templ plat ates polymorphic messages can bypass spam filtering. Written in a macro language, loaded with info such as “target mail addresses”, “IP addresses”, date & time etc. Delivery ivery list of email addresses targets Diction ionaries aries with info needed for “spam templates” IDEA: A: Botnet Infiltr ltrat atio ion n Gain access into “Command & Control” (C&C) network C&C channels: s: Located between Workers & Proxies All spam requests & delivery reports pass from those channels first Opport ortun unity ty to monit itor or & proces cess s spam m acti tivit ity
APPROACH: Rewrite write C&C Protoco ocol: ◦ Elements: Click-ba based sed netwo work k element nt: Adds a destination header to flowing messages, in C&C Message destination changed to IP address given by authors User-space ce Proxy Server er : Impersonates a valid proxy bot Receives connections for specified address Forwards those connections to the Click-based element From here, C&C traffic can be parsed & processed, as wished
◦ Created many email l accounts nts at different ent commercial providers ers: e.g. Yahoo ◦ Tested spam delivery: Filte ltered red them them using Spam Filtering products: Ensure e spam can be passed successfully Set Storm m worker bots to send spam to them: Append those accounts to the delivery list of every workload Remove references to those accounts from every report Ensure Bot master does not notice authors’ changes Check eck accoun unts ts for spam m messa sages ges received by authors’ campaigns
“Do users visit sites advertised in spam? If yes, how often?” Authors launched two different spam campaigns created one site for each Monitored activity (i.e. “visits”) to find out CAMPAIGN GN #1: “Pharmaceutical Campaign” Design: ign: Identical to the original one Same naming convention + identifier at ◦ the end of URL Similar UI ◦ No functi tional onality: ty: protect clients Log all accesses 1 purchase attempt = 1 conversion ◦
CAMPA MPAIGN IGN #2: “Malware Self - Propagation Campaign” Decoys ys into downloading “postcard reader” software Hidden Malware Desig ign: Looks & feels like a legitimate site No No functiona ctionality lity: protect clients Links direct to harmless executables Services ices: 3 (harmless) executables to download If run: Send HTTP POST request to authors’ server o Log access sses es: HTTP POST lets authors know if downloaded file was executed 1 execu cution ion = 1 conv nvers ersion on o Users might download but not execute file o Anti-viruses might block execution etc. o
Not all visits to the Web sites are conversions Automated & semi-automated processes visit: ◦ Pure Web crawl wlers: visiting without interacting ◦ “Honey - client” system ems: collect info ◦ Securit rity researc rcher ers: working on identifying new malware SOLUTIO OLUTION: Filter out such visits ◦ Heurist ristics: Identify visits with “crawler” behavi avior or E.g. trying to: perform well, enhance spam defense, ensure quality measurements, retrieve info ◦ Blacklist st them!
Heuris uristi tica cal Black ckli listin sting: ◦ Hosts blacklisted for doing the following: Accessing Pharmacy site with URL missing the identifier Accessing Web crawling instruction files (e.g. txt containing URLs) Attempting to exploit sites for information retrieval Disabling costly features (e.g. Javascript, embedded images) Paying targeted visits e.g. visiting the pharmacy site, with the same IP, multiple times using different unique identifiers Could be taking measurements/studying spam mechanisms Tracking updates e.g. downloading post-card files more than 10 times Accessing workload delivery lists & visiting all featured IP addresses
E-mail mail message sages send d & Workers rs used (per hour, on each day of campaign) E-mails s sent (per hour, for each campaign) * “April Fool” campaign is similar to the postcard one (self -prop ropaga gation ion of malwa ware re using ng a spam postcard tcard site, te, but only near r the 1 st st of April ril).
8 proxie ies s used Most workers ers only connecte cted: 3 most targeted ted domains Once to proxies ◦ To a single proxy ◦ Few cases (90 workers) connected to all proxi xies Most connec ections tions to proxie ies, s, from a single le work rker: er: 269 An academic network in North Carolina, USA ◦ “Infected” 19 times Average age Connec ection tion Duration ion: : 40 minutes Many Connection cases (40%) did not even exceed 1 minut ute Longe gest st Connection ction Duration: ion: 81 hours
Shows the whole process of spam distribution From workers receiving target e-mail addresses, to user conversion Shows how ow many any of of the the in init itial ally ly in inten tende ded targe argets ts wi will rem remain ain un un- filtered red in in all stages, up up until their conversion on
STAGE GE A: ◦ Action: Worker bots receive target e-mail addresses ◦ Filter: Some addresses might be invalid or blacklisted ◦ Problem: Such addresses will not receive spam messages
STAGE GE B: B: ◦ Action: Target e-mail addresses receive spam messages from worker bots ◦ Filter: Anti-Spam Mechanisms of E-Mail Provider ◦ Problem: Many of those spam e-mails are blocked
STAGE GE C: ◦ Action: Mails which survived anti-spam filtering end up to inbox ◦ Filter: User may ignore or delete spam mails ◦ Problem: Many emails failed to persuade users to visit/”convert”
STAGE GE D: ◦ Action: User opens spam e-mails and visits advertised URLs ◦ Filter: Many visiting users will not purchase anything ◦ Problem: No conversion, despite visiting
STAGE GE E: ◦ Action: User “converts” buys from Pharmacy/ executes Postcard malware ◦ Filter: Many users are “crawlers” no real intention to “convert” ◦ Problem: Many of the final conversions are not real “conversions”
OBSE SERVATI VATIONS ONS: ◦ Many spam messages are filtere red by each stage of the pipeline ◦ Way too small number of spam messages “ survive ve ” the full Pipeline process ◦ Conver ersio sion Rates: Extremely mely low (less than 0.0001%, in all campaigns)
Recommend
More recommend
