Coordinated distributions method for tracking botnets sending out spam
Andrey Bakhmutov Kaspersky Lab
download slides (PDF)
It is well known that large quantities of spam are now being sent by networks of compromised computers - botnets. The
activity of these networks is of serious concern to security professionals all over the world, and the problem of
tracking botnets is receiving considerable attention. Large distributed networks of computers, most of them having
dynamic IP addresses, are hard to track and separate from each other.
This paper presents a method for isolating
and tracking, in real time, botnets which are sending out spam. This statistical method uses the fact that a
computer in a botnet has to distribute content which to some degree resembles content distributed by the other
computers in the same botnet. The size of messages sent by a particular computer over a period of time can be
tracked, and the resulting distribution of message numbers by size is then associated with that computer.
The distributions obtained for different sources are then compared. It transpires that computers from the same
botnet have similar (although not identical) distributions. The accuracy of this technique is heavily dependent
on the amount of statistical data gathered and the comparison method used. The system designed to implement
the method processes data every two hours, detecting and refining botnets, and determining the false positive
probabilities for each botnet. It has been demonstrated that this technique can be used to determine the
boundaries of botnets in real time provided that there is sufficient statistical information.
VB2010 will take place 29 September-1 October 2009 at the Westin Bayshore, Vancouver, BC, Canada.
Early bird discount available until 15th June 2010.