skip to main content
10.1145/1402958.1402979acmconferencesArticle/Chapter ViewAbstractPublication PagescommConference Proceedingsconference-collections
research-article
Free Access

Spamming botnets: signatures and characteristics

Authors Info & Claims
Published:17 August 2008Publication History

ABSTRACT

In this paper, we focus on characterizing spamming botnets by leveraging both spam payload and spam server traffic properties. Towards this goal, we developed a spam signature generation framework called AutoRE to detect botnet-based spam emails and botnet membership. AutoRE does not require pre-classified training data or white lists. Moreover, it outputs high quality regular expression signatures that can detect botnet spam with a low false positive rate. Using a three-month sample of emails from Hotmail, AutoRE successfully identified 7,721 botnet-based spam campaigns together with 340,050 unique botnet host IP addresses.

Our in-depth analysis of the identified botnets revealed several interesting findings regarding the degree of email obfuscation, properties of botnet IP addresses, sending patterns, and their correlation with network scanning traffic. We believe these observations are useful information in the design of botnet detection schemes.

References

  1. M. I. Abouelhoda, S. Kurtz, and E. Ohlebusch. Replacing suffix trees with enhanced suffix arrays. J. of Discrete Algorithms, 2(1), 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. D. S. Anderson, C. Fleizach, S. Savage, and G. M. Voelker. Spamscatter: Characterizing Internet scam hosting infrastructure. In 14th conference on USENIX Security Symposium, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. T. Berners-Lee, R. Fielding, and L. Masinter. Uniform resource identifiers (URI): Generic syntax. RFC 2396, 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. K. Chiang and L. Lloyd. A case study of the Rustock rootkit and spam bot. In The First Workshop in Understanding Botnets, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. D. Dagon, C. Zou, and W. Lee. Modeling botnet propagation using time zones. In Proc. of the 13th Annual Network and Distributed System Security Symposium (NDSS), 2006.Google ScholarGoogle Scholar
  6. N. Daswani, M. Stoppelman, and the Google click quality and security teams. The anatomy of Clickbot.A. In The First Workshop in Understanding Botnets, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Dshield: Cooperative network security community. Dynablock dynamic IP list. http://www.njabl.org/, recently aquired by spamhaus, http://www.spamhaus.org/pbl/index.lasso, 2007.Google ScholarGoogle Scholar
  8. D. Fetterly, M. Manasse, M. Najork, and J. L. Wiener. A large-scale study of the evolution of web pages. Softw. Pract. Exper., 34(2), 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling. Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm. In LEET 08: First USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. C. Kanich, K. Levchenko, B. Enright, G. M. Voelker, and S. Savage. The Heisenbot uncertainty problem: Challenges in separating bots from chaff. In LEET '08: First USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. H.-A. Kim and B. Karp. Autograph: Toward automated, distributed worm signature detection. In the 13th conference on USENIX Security Symposium, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. C. Kreibich and J. Crowcroft. Honeycomb: Creating intrusion detection signatures using honeypots. In 2nd Workshop on Hot Topics in Networks (HotNets-II), 2003.Google ScholarGoogle Scholar
  13. F. Li and M.-H. Hsieh. An empirical study of clustering behavior of spammers and group-based anti-spam strategies. In CEAS 2006: Proceedings of the 3rd conference on email and anti-spam, 2006.Google ScholarGoogle Scholar
  14. Z. Li, M. Sanghi, Y. Chen, M.-Y. Kao, and B. Chavez. Hamsa: Fast signature generation for zero--day polymorphic worm with provable attack resilience. In IEEE Symposium on Security and Privacy, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. J. Newsome, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multifaceted approach to understanding the botnet phenomenon. In IMC '06: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. A. Ramachandran, D. Dagon, and N. Feamster. Can DNS based blacklists keep up with bots? In Conference on Email and Anti-Spam, 2006.Google ScholarGoogle Scholar
  18. A. Ramachandran and N. Feamster. Understanding the network-level behavior of spammers. In Proceedings of Sigcomm, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. A. Ramachandran, N. Feamster, and S. Vempala. Filtering spam with behavioral blacklisting. In Proceedings of the 14th ACM conference on computer and communications security, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In OSDI, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Spamhaus policy block list (PBL). http://www.spamhaus.org/pbl/, Jan 2007.Google ScholarGoogle Scholar
  22. S. Webb, J. Caverlee, and C. Pu. Introducing the web spam corpus: Using email spam to identify web spam automatically. In Proceedings of the Third Conference on Email and Anti-Spam (CEAS), 2006.Google ScholarGoogle Scholar
  23. Y. Xie, F. Yu, K. Achan, E. Gillum, M. Goldszmidt, and T. Wobber. How dynamic are IP addresses? In ACM Sigcomm, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. L. Zhuang, J. Dunagan, D. R. Simon, H. J. Wang, I. Osipkov, G. Hulten, and J. Tygar. Characterizing botnets from email spam records. In LEET 08: First USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Spamming botnets: signatures and characteristics

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in
    • Published in

      cover image ACM Conferences
      SIGCOMM '08: Proceedings of the ACM SIGCOMM 2008 conference on Data communication
      August 2008
      452 pages
      ISBN:9781605581750
      DOI:10.1145/1402958
      • cover image ACM SIGCOMM Computer Communication Review
        ACM SIGCOMM Computer Communication Review  Volume 38, Issue 4
        October 2008
        436 pages
        ISSN:0146-4833
        DOI:10.1145/1402946
        Issue’s Table of Contents

      Copyright © 2008 ACM

      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 17 August 2008

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • research-article

      Acceptance Rates

      Overall Acceptance Rate554of3,547submissions,16%

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader