427 Botnet fm qxd

rent botnets. Instead of sending spam from one source, today’s spammers send
spam from multiple zombies in a botnet. Losing one zombie doesn’t affect the
flow of spam to any great effect. For a botnet-supported phishing Web site,
shutting down a phishing Web site only triggers a Dynamic DNS change to
the IP address associated with the DNS name. Some bot codebases, such as
Agobot, include specific commands to facilitate use in support of spamming
operations.There are commands to harvest e-mails, download a list of e-mails
prior to spamming, start spamming, and stop spamming. Analyzing the
headers of similar spam payloads and phishing attacks may permit investigators
to begin to discover members of common botnets. Monitoring activity
between these members and the bot server may yield enough information to
take the botnet down. Cross-correlation of different kinds of attacks from the
same zombie may permit investigators to begin to “follow the money.”
Using a botnet, the botherder can set up an automated spam network. Joe
Stewart, a senior security researcher from SecureWorks in Atlanta, Georgia,
recently gained access to files from a botnet that was using the SpamThru
Trojan.The botherders were a well-organized hacker gang in Russia, control-
ling a 73,000 node botnet. An article in the 20 November 2006 issue of e-
Week, titled, “Spam Surge Linked to Hackers,” describes Mr. Stewart’s analysis
for the masses.The details of this analysis can be found at www.secureworks.
com/analysis/spamthru/.
Figure 2.7 illustrates the SpamThru Trojan.The botnet clients are orga-
nized into groups of similar processing and network speeds. For example, all
the Windows 95 and Windows 98 systems that are connected to dial-up con-
nections might be assigned to port 2234, and the higher speed XP Pro sys-
tems connected to High Speed Internet connections might be assigned to
port 2236.The Russian botherder sends commands through the IRC C&C
server to each of the botclients instructing them to obtain the appropriate
templates for the next spam campaign.The botnet client then downloads the
templates and modifies the data from the template every time it transmits an
e-mail.The template includes text and graphics.To foil the graphics spam
detectors, the spam clients modify the size and padding in the graphic images
for each message.

Download 6,98 Mb.

Do'stlaringiz bilan baham: