Fighting malware and spam

Coordinated distributions method for tracking botnets sending out spam

Andrey Bakhmutov Kaspersky Lab

It is well known that large quantities of spam are now being sent by networks of compromised computers - botnets. The activity of these networks is of serious concern to security professionals all over the world, and the problem of tracking botnets is receiving considerable attention. Large distributed networks of computers, most of them having dynamic IP addresses, are hard to track and separate from each other.

This paper presents a method for isolating and tracking, in real time, botnets which are sending out spam. This statistical method uses the fact that a computer in a botnet has to distribute content which to some degree resembles content distributed by the other computers in the same botnet. The size of messages sent by a particular computer over a period of time can be tracked, and the resulting distribution of message numbers by size is then associated with that computer. The distributions obtained for different sources are then compared. It transpires that computers from the same botnet have similar (although not identical) distributions. The accuracy of this technique is heavily dependent on the amount of statistical data gathered and the comparison method used. The system designed to implement the method processes data every two hours, detecting and refining botnets, and determining the false positive probabilities for each botnet. It has been demonstrated that this technique can be used to determine the boundaries of botnets in real time provided that there is sufficient statistical information.