A strategic analysis of spam botnets operations

Olivier Thonnard, Marc Dacier

Research output: Chapter in Book/Report/Conference proceedingConference contribution

23 Citations (Scopus)

Abstract

We present in this paper a strategic analysis of spam botnets operations, i.e., we study the inter-relationships among botnets through their spam campaigns, and we focus on identifying similarities or differences in their modus operandi. The contributions of this paper are threefold. First, we provide an in-depth analysis which, in contrast with previous studies on spamming bots, focuses on the long-term, strategic behavior of spam botnets as observed through their aggregate spam campaigns. To that end, we have analyzed over one million spam records collected by Symantec.cloud (formerly Message Labs) through worldwide distributed spamtraps. Secondly, we demonstrate the usefulness of emerging attack attribution methodologies to extract intelligence from large spam data sets, and to correlate spam campaigns according to various combinations of different features. By leveraging these techniques relying on data fusion and multi-criteria decision analysis, we show that some tight relationships exist among different botnet families (like Rustock/Grum or Lethic/Maazben), but we also underline some profound differences in spam campaigns performed by other bots, such as Rustock versus Lethic, Bagle or Xarvester. Finally, we use the very same attribution methodology to analyze the recent Rustock take-down, which took place on March 17, 2011. As opposed to previous claims, our experimental results show that Bagle has probably not taken over Rustock's role, but instead, we found some substantial evidence indicating that part of Rustock activity may have been offoaded to Grum shortly after the take-down operation.

Original languageEnglish
Title of host publicationACM International Conference Proceeding Series
Pages162-171
Number of pages10
DOIs
Publication statusPublished - 2011
Externally publishedYes
Event8th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS 2011 - Perth, WA
Duration: 1 Sep 20112 Sep 2011

Other

Other8th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS 2011
CityPerth, WA
Period1/9/112/9/11

Fingerprint

Spamming
Decision theory
Data fusion
Botnet

Keywords

  • Botnet intelligence
  • Rustock take-down
  • Spam botnets

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Vision and Pattern Recognition
  • Human-Computer Interaction
  • Software

Cite this

Thonnard, O., & Dacier, M. (2011). A strategic analysis of spam botnets operations. In ACM International Conference Proceeding Series (pp. 162-171) https://doi.org/10.1145/2030376.2030395

A strategic analysis of spam botnets operations. / Thonnard, Olivier; Dacier, Marc.

ACM International Conference Proceeding Series. 2011. p. 162-171.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Thonnard, O & Dacier, M 2011, A strategic analysis of spam botnets operations. in ACM International Conference Proceeding Series. pp. 162-171, 8th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS 2011, Perth, WA, 1/9/11. https://doi.org/10.1145/2030376.2030395
Thonnard O, Dacier M. A strategic analysis of spam botnets operations. In ACM International Conference Proceeding Series. 2011. p. 162-171 https://doi.org/10.1145/2030376.2030395
Thonnard, Olivier ; Dacier, Marc. / A strategic analysis of spam botnets operations. ACM International Conference Proceeding Series. 2011. pp. 162-171
@inproceedings{b51044a43aba4fef95b42de5a0febf4a,
title = "A strategic analysis of spam botnets operations",
abstract = "We present in this paper a strategic analysis of spam botnets operations, i.e., we study the inter-relationships among botnets through their spam campaigns, and we focus on identifying similarities or differences in their modus operandi. The contributions of this paper are threefold. First, we provide an in-depth analysis which, in contrast with previous studies on spamming bots, focuses on the long-term, strategic behavior of spam botnets as observed through their aggregate spam campaigns. To that end, we have analyzed over one million spam records collected by Symantec.cloud (formerly Message Labs) through worldwide distributed spamtraps. Secondly, we demonstrate the usefulness of emerging attack attribution methodologies to extract intelligence from large spam data sets, and to correlate spam campaigns according to various combinations of different features. By leveraging these techniques relying on data fusion and multi-criteria decision analysis, we show that some tight relationships exist among different botnet families (like Rustock/Grum or Lethic/Maazben), but we also underline some profound differences in spam campaigns performed by other bots, such as Rustock versus Lethic, Bagle or Xarvester. Finally, we use the very same attribution methodology to analyze the recent Rustock take-down, which took place on March 17, 2011. As opposed to previous claims, our experimental results show that Bagle has probably not taken over Rustock's role, but instead, we found some substantial evidence indicating that part of Rustock activity may have been offoaded to Grum shortly after the take-down operation.",
keywords = "Botnet intelligence, Rustock take-down, Spam botnets",
author = "Olivier Thonnard and Marc Dacier",
year = "2011",
doi = "10.1145/2030376.2030395",
language = "English",
isbn = "9781450307888",
pages = "162--171",
booktitle = "ACM International Conference Proceeding Series",

}

TY - GEN

T1 - A strategic analysis of spam botnets operations

AU - Thonnard, Olivier

AU - Dacier, Marc

PY - 2011

Y1 - 2011

N2 - We present in this paper a strategic analysis of spam botnets operations, i.e., we study the inter-relationships among botnets through their spam campaigns, and we focus on identifying similarities or differences in their modus operandi. The contributions of this paper are threefold. First, we provide an in-depth analysis which, in contrast with previous studies on spamming bots, focuses on the long-term, strategic behavior of spam botnets as observed through their aggregate spam campaigns. To that end, we have analyzed over one million spam records collected by Symantec.cloud (formerly Message Labs) through worldwide distributed spamtraps. Secondly, we demonstrate the usefulness of emerging attack attribution methodologies to extract intelligence from large spam data sets, and to correlate spam campaigns according to various combinations of different features. By leveraging these techniques relying on data fusion and multi-criteria decision analysis, we show that some tight relationships exist among different botnet families (like Rustock/Grum or Lethic/Maazben), but we also underline some profound differences in spam campaigns performed by other bots, such as Rustock versus Lethic, Bagle or Xarvester. Finally, we use the very same attribution methodology to analyze the recent Rustock take-down, which took place on March 17, 2011. As opposed to previous claims, our experimental results show that Bagle has probably not taken over Rustock's role, but instead, we found some substantial evidence indicating that part of Rustock activity may have been offoaded to Grum shortly after the take-down operation.

AB - We present in this paper a strategic analysis of spam botnets operations, i.e., we study the inter-relationships among botnets through their spam campaigns, and we focus on identifying similarities or differences in their modus operandi. The contributions of this paper are threefold. First, we provide an in-depth analysis which, in contrast with previous studies on spamming bots, focuses on the long-term, strategic behavior of spam botnets as observed through their aggregate spam campaigns. To that end, we have analyzed over one million spam records collected by Symantec.cloud (formerly Message Labs) through worldwide distributed spamtraps. Secondly, we demonstrate the usefulness of emerging attack attribution methodologies to extract intelligence from large spam data sets, and to correlate spam campaigns according to various combinations of different features. By leveraging these techniques relying on data fusion and multi-criteria decision analysis, we show that some tight relationships exist among different botnet families (like Rustock/Grum or Lethic/Maazben), but we also underline some profound differences in spam campaigns performed by other bots, such as Rustock versus Lethic, Bagle or Xarvester. Finally, we use the very same attribution methodology to analyze the recent Rustock take-down, which took place on March 17, 2011. As opposed to previous claims, our experimental results show that Bagle has probably not taken over Rustock's role, but instead, we found some substantial evidence indicating that part of Rustock activity may have been offoaded to Grum shortly after the take-down operation.

KW - Botnet intelligence

KW - Rustock take-down

KW - Spam botnets

UR - http://www.scopus.com/inward/record.url?scp=80053642264&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=80053642264&partnerID=8YFLogxK

U2 - 10.1145/2030376.2030395

DO - 10.1145/2030376.2030395

M3 - Conference contribution

AN - SCOPUS:80053642264

SN - 9781450307888

SP - 162

EP - 171

BT - ACM International Conference Proceeding Series

ER -