Coordinated distributions method for tracking botnets sending out spam

Andrey Bakhmutov Kaspersky Lab

  download slides (PDF)

It is well known that large quantities of spam are now being sent by networks of compromised computers - botnets. The activity of these networks is of serious concern to security professionals all over the world, and the problem of tracking botnets is receiving considerable attention. Large distributed networks of computers, most of them having dynamic IP addresses, are hard to track and separate from each other.

This paper presents a method for isolating and tracking, in real time, botnets which are sending out spam. This statistical method uses the fact that a computer in a botnet has to distribute content which to some degree resembles content distributed by the other computers in the same botnet. The size of messages sent by a particular computer over a period of time can be tracked, and the resulting distribution of message numbers by size is then associated with that computer. The distributions obtained for different sources are then compared. It transpires that computers from the same botnet have similar (although not identical) distributions. The accuracy of this technique is heavily dependent on the amount of statistical data gathered and the comparison method used. The system designed to implement the method processes data every two hours, detecting and refining botnets, and determining the false positive probabilities for each botnet. It has been demonstrated that this technique can be used to determine the boundaries of botnets in real time provided that there is sufficient statistical information.


Poll

Who in your company is responsible for installing software patches?
System administrators
End users
I don't know

Leave a comment

Jobs Recruit Sidebar

VB100 certification

VB100 The final VB100 of the year sees a double whammy of potential pitfalls for our comparative participants - the Vista operating system, which still seems shiny and new as well as a little scary (to both developers and users), as well as the x64 architecture, whose ostensible compatibility with standard 32-bit software belies oddities and intricacies that developers ignore at their peril. The announcement of the test brought a few surprises, as several regulars opted to skip this one, but the majority of veteran competitors took part as usual, along with several newer faces, many of whom look set to join the ranks of our regulars.
See full results.

Virus Bulletin currently has 148,287 registered users.