Abstract
There is a consensus in the anti-spam community regarding the prevalence of spam botnets and the significant role they play in the worldwide spam problem. Nevertheless, far less attention has been devoted to studying the strategic behavior of spammers on a long-term basis. This paper explores several facets of spammers operations by providing three essential perspectives: (i) we study the inter-relationships among spam botnets through their aggregate spam campaigns, and we focus on identifying similarities or differences in their modus operandi; (ii) we look at the impact of the Rustock takedown on the botnet ecosystem; and (iii) we study the conjecture about spammers hijacking unused IP space to send spam in a stealthy way. To that end, we have analyzed over one million spam records collected by Symantec.cloud (formerly MessageLabs) through worldwide distributed spamtraps. Our methodology leverages techniques relying on data fusion and multi-criteria decision analysis to extract intelligence from large spam data sets by automatically correlating spam campaigns according to various combinations of spam features. We also take advantage of node-link visualizations developed in the context of VIS-SENSE, a research project aiming at developing Visual Analytics technologies for the security domain. Using these visualizations, we illustrate the tight relationships that exist among different botnet families (such as Rustock/Grum or Lethic/Maazben). Regarding the disruption of Rustock on 17 March 2011, our experimental results provide substantial evidence indicating that part of the botnet activity may have been offloaded to Grum shortly after the takedown operation. Finally, we analyzed over 1year of spam data enriched with Border Gateway Protocol data and found that an increasing amount of spam may have been sent from IP blocks hijacked for several weeks or months, even though this phenomenon remains marginal at this time compared with spam sent from large botnets.
Original language | English |
---|---|
Pages (from-to) | 336-356 |
Number of pages | 21 |
Journal | Security and Communication Networks |
Volume | 9 |
Issue number | 4 |
DOIs | |
Publication status | Published - 10 Mar 2016 |
Externally published | Yes |
Fingerprint
Keywords
- Botnet intelligence
- Prefix hijacking
- Rustock takedown
- Spam botnets
ASJC Scopus subject areas
- Computer Networks and Communications
- Information Systems
Cite this
Spammers operations : A multifaceted strategic analysis. / Thonnard, O.; Vervier, Pierre Antoine; Dacier, Marc.
In: Security and Communication Networks, Vol. 9, No. 4, 10.03.2016, p. 336-356.Research output: Contribution to journal › Article
}
TY - JOUR
T1 - Spammers operations
T2 - A multifaceted strategic analysis
AU - Thonnard, O.
AU - Vervier, Pierre Antoine
AU - Dacier, Marc
PY - 2016/3/10
Y1 - 2016/3/10
N2 - There is a consensus in the anti-spam community regarding the prevalence of spam botnets and the significant role they play in the worldwide spam problem. Nevertheless, far less attention has been devoted to studying the strategic behavior of spammers on a long-term basis. This paper explores several facets of spammers operations by providing three essential perspectives: (i) we study the inter-relationships among spam botnets through their aggregate spam campaigns, and we focus on identifying similarities or differences in their modus operandi; (ii) we look at the impact of the Rustock takedown on the botnet ecosystem; and (iii) we study the conjecture about spammers hijacking unused IP space to send spam in a stealthy way. To that end, we have analyzed over one million spam records collected by Symantec.cloud (formerly MessageLabs) through worldwide distributed spamtraps. Our methodology leverages techniques relying on data fusion and multi-criteria decision analysis to extract intelligence from large spam data sets by automatically correlating spam campaigns according to various combinations of spam features. We also take advantage of node-link visualizations developed in the context of VIS-SENSE, a research project aiming at developing Visual Analytics technologies for the security domain. Using these visualizations, we illustrate the tight relationships that exist among different botnet families (such as Rustock/Grum or Lethic/Maazben). Regarding the disruption of Rustock on 17 March 2011, our experimental results provide substantial evidence indicating that part of the botnet activity may have been offloaded to Grum shortly after the takedown operation. Finally, we analyzed over 1year of spam data enriched with Border Gateway Protocol data and found that an increasing amount of spam may have been sent from IP blocks hijacked for several weeks or months, even though this phenomenon remains marginal at this time compared with spam sent from large botnets.
AB - There is a consensus in the anti-spam community regarding the prevalence of spam botnets and the significant role they play in the worldwide spam problem. Nevertheless, far less attention has been devoted to studying the strategic behavior of spammers on a long-term basis. This paper explores several facets of spammers operations by providing three essential perspectives: (i) we study the inter-relationships among spam botnets through their aggregate spam campaigns, and we focus on identifying similarities or differences in their modus operandi; (ii) we look at the impact of the Rustock takedown on the botnet ecosystem; and (iii) we study the conjecture about spammers hijacking unused IP space to send spam in a stealthy way. To that end, we have analyzed over one million spam records collected by Symantec.cloud (formerly MessageLabs) through worldwide distributed spamtraps. Our methodology leverages techniques relying on data fusion and multi-criteria decision analysis to extract intelligence from large spam data sets by automatically correlating spam campaigns according to various combinations of spam features. We also take advantage of node-link visualizations developed in the context of VIS-SENSE, a research project aiming at developing Visual Analytics technologies for the security domain. Using these visualizations, we illustrate the tight relationships that exist among different botnet families (such as Rustock/Grum or Lethic/Maazben). Regarding the disruption of Rustock on 17 March 2011, our experimental results provide substantial evidence indicating that part of the botnet activity may have been offloaded to Grum shortly after the takedown operation. Finally, we analyzed over 1year of spam data enriched with Border Gateway Protocol data and found that an increasing amount of spam may have been sent from IP blocks hijacked for several weeks or months, even though this phenomenon remains marginal at this time compared with spam sent from large botnets.
KW - Botnet intelligence
KW - Prefix hijacking
KW - Rustock takedown
KW - Spam botnets
UR - http://www.scopus.com/inward/record.url?scp=84956695334&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84956695334&partnerID=8YFLogxK
U2 - 10.1002/sec.640
DO - 10.1002/sec.640
M3 - Article
AN - SCOPUS:84956695334
VL - 9
SP - 336
EP - 356
JO - Security and Communication Networks
JF - Security and Communication Networks
SN - 1939-0122
IS - 4
ER -