cleaning up after the nr 3 spam botnet and the worst
play

Cleaning up after the Nr 3 SPAM botnet and the worst prefix By Erik - PowerPoint PPT Presentation

Feb 27, 2024 •44 likes •314 views

Cleaning up after the Nr 3 SPAM botnet and the worst prefix By Erik Bais RIPE75 October, 2017 1 A bit of background Taking down of the largest GRUM bot network A nice read about this whole story :

  1. Cleaning up after the Nr 3 SPAM botnet and the worst prefix By Erik Bais – RIPE75 October, 2017 1

  2. A bit of background Taking down of the largest GRUM bot network • A nice read about this whole story : https://krebsonsecurity.com/2012/07/top-spam-botnet-grum- unplugged/ • Once a botnet is down, you can see the effects of that botnet (when it has the size of GRUM) in the global spam effects.. 2

  3. Stats of Grum during July – 2012 till shutdown Source: Symantec Message Labs 3

  4. Taking over the IP’s of a C&C … • When all the C&C’s where down, we got access to the ‘GRUM’ IP’s. • And even better .. The actual server was shutdown, but not wiped. ;-) • We wipe the server (after a backup) and setup a secure sinkhole for the zombie’s … 4

  5. Target : Cleaning the zombie’s • Taking down the C&C’s and the botnet will leave a lot of infected PC’s (zombies) … dormant .. • How do you clean those zombies ? • We opted for reporting to the ISP’s per unique connection to the C&C IP’s with a signature.. Once per day .. And later per hour .. • Not all malware has a reliable ‘kill / un-install switch’ and you don’t want to be held responsible for that .. 5

  6. Initial stats by Country and Unique IP’s (Grum) 6

  7. Weather maps of the stats - GRUM 7

  8. So how did we do this ? • Once we had access to the C&C IP’s, we worked together with ISC SANS and Shadowserver for building the right infra for a new feed. • No need to build your own Abuse reporting infra .. Shadowserver already has this infrastructure in place !! • And a lot of ISP’s already parse their messages … 8

  9. Running the feeds • Running the feeds means you would expect some clean-up in the numbers … • Not exactly … ok.. Some improvements .. But not a lot .. 9

  10. The down-side of opt-in reporting • Shadowserver only reports to ISP’s that wanted to receive their messages.. • Yes, those reports are : opt-in .. • So we discussed the approach with Abusix and they suggested the following : – Report each hour on each unique IP connection.. Instead of each day.. – Use abuse mailbox info in the IRR DB’s and send each hour in x-arf. 10

  11. More stats – September 2012 • +---------------------+--------+------+-------------+------------+-------------+-------------+ • | timestamp | source | tag | connections | unique_ips | unique_asns | unique_geos | • +---------------------+--------+------+-------------+------------+-------------+-------------+ • | 2012-09-16 00:00:00 | drones | grum | 1518703 | 87654 | 2161 | 175 | • | 2012-09-15 00:00:00 | drones | grum | 1685809 | 93043 | 2231 | 178 | • | 2012-09-14 00:00:00 | drones | grum | 1819142 | 102839 | 2539 | 185 | • | 2012-09-13 00:00:00 | drones | grum | 1785254 | 105531 | 2603 | 186 | • | 2012-09-12 00:00:00 | drones | grum | 1809333 | 106376 | 2626 | 183 | • | 2012-09-11 00:00:00 | drones | grum | 1874680 | 107011 | 2646 | 185 | • | 2012-09-10 00:00:00 | drones | grum | 1804284 | 106289 | 2635 | 184 | • | 2012-09-09 00:00:00 | drones | grum | 1708316 | 94092 | 2249 | 182 | • | 2012-09-08 00:00:00 | drones | grum | 1720786 | 98288 | 2277 | 177 | • | 2012-09-07 00:00:00 | drones | grum | 1710694 | 106210 | 2534 | 186 | • +---------------------+--------+------+-------------+------------+-------------+-------------+ 11

  12. Results in November 2012 !! • +---------------------+--------+------+-------------+------------+-------------+-------------+ • | timestamp | source | tag | connections | unique_ips | unique_asns | unique_geos | • +---------------------+--------+------+-------------+------------+-------------+-------------+ • | 2012-11-13 00:00:00 | drones | grum | 1200093 | 69840 | 1929 | 173 | • | 2012-11-12 00:00:00 | drones | grum | 1245087 | 69446 | 1916 | 171 | • | 2012-11-11 00:00:00 | drones | grum | 1191635 | 64081 | 1680 | 167 | • | 2012-11-10 00:00:00 | drones | grum | 1159224 | 66043 | 1724 | 173 | • | 2012-11-09 00:00:00 | drones | grum | 1160222 | 71957 | 1946 | 173 | • | 2012-11-08 00:00:00 | drones | grum | 1242629 | 72832 | 1985 | 168 | • | 2012-11-07 00:00:00 | drones | grum | 1261095 | 74043 | 1995 | 172 | 12

  13. The Level3 abuse desk ‘issue’ • The sinkhole hoster almost got shutdown by their upstream because they didn’t matched the reports correctly to their ‘offending’ customers • They thought the sinkhole was the source of the issue .. • This took a couple days to understand the issue and to fix the reporting. – Lesson learned : don’t include the sinkhole IP in the abuse reports. 13

  14. A huge shout out to : 14

  15. Next challenge : the ‘dirtiest’ prefix … • After the experience with the GRUM botnet … we had the opportunity to buy the LIR with IP space from a Dutch bulletproof hoster … • The person running the hoster, was just released by the Dutch Police … and was planning to sell his IP space. • It looked like a proper challenge to get that IP space usable again … 15

  16. How bad was it ? • The IP space was blacklisted listed for several years .. Due to known abuse .. • On SBL .. ( over 75 times .. For the actual /19 and many /32 and /24’s ) • On DROP .. ( Is anyone actually using this ?? ) • and that was just on Spamhaus .. But also on many other RBL’s and lists. 16

  17. Approach • Get full ownership of the LIR. • Change all references from the previous holder to the new holder. • Build a new sinkhole. • Start routing the IP’s to the sinkhole … • See what we find … we might get lucky … 17

  18. Hoping for the jackpot 18

  19. The logs revealed … 12 C&C’s • GRUM bot zombies .. ( I wonder how we found these.. J ) • Citadel zombies • Alina zombies • Black Energy • Fake AV 19

  20. Happy happy joy joy 20

  21. Now what ? • See if anyone is actually null-routing traffic to the specific prefix ..? • RIPE Atlas was a great help in finding any routing issues like SH DROP filtering for instance. • Contacting the RBL owners to de-list the prefix .. 21

  22. Initial replies from the RBL’s 22

  23. Explain it again with more logic … • Show them what we are doing .. • Show initial results of the sinkhole .. • Kindly explain that we can´t (and won’t) be held hostage or accountable from someone elses actions or lack of that.. • Receive kind replies : 23

  24. Selling the IP Space • The new owner knew which IP space he was buying and the reputation of the original owner … Transparency is key .. • They knew upfront about our efforts to clean up the space and the sinkhole. • The sinkhole was provided along with the feeds to Shadowserver and Abusix after the IP transfer. • The buyer wanted to purchase the IP space ‘over time’ … 24

  25. Lessons learned : “ Almost all IP ranges can be cleaned .. But some historic issues, take a HUGE amount of time/effort to clean. And some people would be more than happy to help you.. You might be able to get a good deal as long as you don’t mind null-routing some of the old C&C IP’s in a /19 or so. 25

  26. Any questions ? ??

  27. THANK YOU ADDRESS EMAIL PHONE De Hoefsmid 13 sales@prefixbroker.net +31 85 902 0417 1851PZ Heiloo The Netherlands Feel free to contact us if you have any questions 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Spam, Spam, Spam Why is spam interesting? Everyone can observe spam. Spam / Anti-spam is a

Spam, Spam, Spam Why is spam interesting? Everyone can observe spam. Spam / Anti-spam is a

Spam, Spam, Spam Why is spam interesting? Everyone can observe spam. Spam / Anti-spam is a highly evolved form of information warfare. Fascinating socioeconomic study with many players - users, ISPs, spammers, technologists, legal

322 views • 17 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
Workflow basics, RMarkdown, git/Github Cleaning up Cleaning up Cleaning up Cleaning up

Workflow basics, RMarkdown, git/Github Cleaning up Cleaning up Cleaning up Cleaning up

Workflow basics, RMarkdown, git/Github Cleaning up Cleaning up Cleaning up Cleaning up Cleaning up Cleaning up Don't worry, your history is preserved Settings Cleaning up Cleaning up Lots more options! RMarkdown Structure of an Rmd

656 views • 50 slides
Spam Fighting at CERN 28 April 2004 Emmanuel Ormancey 1 What is Spam ? What is Spam ? Spam

Spam Fighting at CERN 28 April 2004 Emmanuel Ormancey 1 What is Spam ? What is Spam ? Spam

Spam Fighting at CERN 28 April 2004 Emmanuel Ormancey 1 What is Spam ? What is Spam ? Spam is the friendly name given to unsolicited mail everyone receives in the mailbox. Comes from a Monty Python sketch, where in a caf everything

505 views • 13 slides
Opinion Spam and Analysis NITIN JINDAL & BING LIU, WSDM 08 UIUC Opinion/Review Spam All

Opinion Spam and Analysis NITIN JINDAL & BING LIU, WSDM 08 UIUC Opinion/Review Spam All

Opinion Spam and Analysis NITIN JINDAL & BING LIU, WSDM 08 UIUC Opinion/Review Spam All spam is spam but some spam is more spam than others Opinion spam similar to web spam or email spam in intent, but different in form / content Web

912 views • 38 slides
BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic New different approche for sending spam Basing on reputation of email providers Difficult to detect signup detection monitoring users' activity

157 views • 15 slides
The CAN-SPAM Act of 2003 D E C E M B E R 2 0 0 3 THE CAN-SPAM ACT OF 2003 Status of Legislation

The CAN-SPAM Act of 2003 D E C E M B E R 2 0 0 3 THE CAN-SPAM ACT OF 2003 Status of Legislation

The CAN-SPAM Act of 2003 D E C E M B E R 2 0 0 3 THE CAN-SPAM ACT OF 2003 Status of Legislation When Congress returns from recess on December 8, 2003, it will finish its work on the CAN-SPAM Act of 2003 (Controlling the Assault of

323 views • 4 slides
Link Spam Alliances Zoltn Gyngyi Hector Garcia-Molina Class List Spam 101 Intro to

Link Spam Alliances Zoltn Gyngyi Hector Garcia-Molina Class List Spam 101 Intro to

Link Spam Alliances Zoltn Gyngyi Hector Garcia-Molina Class List Spam 101 Intro to web spam Spam 221 Spamming PageRank Spam farm model Optimal farm structure Alliances of two farms Larger alliances Spam

876 views • 30 slides
Web Spam Dr. Marc Spaniol Dr. Marc Spaniol Saarbrcken, June 24, 2010 Databases and

Web Spam Dr. Marc Spaniol Dr. Marc Spaniol Saarbrcken, June 24, 2010 Databases and

Web Dynamics Web Spam Web Spam Dr. Marc Spaniol Dr. Marc Spaniol Saarbrcken, June 24, 2010 Databases and Information Systems Prof. Dr. G. Weikum MPII-Sp-0710-1/49 Agenda Web spam - Why and what? Web Spam - Spam taxonomy

669 views • 49 slides
Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet Botmaster Hosted infrastructure HTTP proxies HTTP Proxy Infected machines bots TCP Workers The Storm botnet Botmaster Hosted infrastructure HTTP

517 views • 31 slides
Web Spam Marc Spaniol Marc Spaniol Saarbrcken, July 23, 2009 Databases and Information

Web Spam Marc Spaniol Marc Spaniol Saarbrcken, July 23, 2009 Databases and Information

Web Dynamics Web Spam Web Spam Marc Spaniol Marc Spaniol Saarbrcken, July 23, 2009 Databases and Information Systems Prof. Dr. G. Weikum MPII-Sp-0709-1/49 Agenda Web spam - Why and what? Web Spam - Spam taxonomy Overview

806 views • 49 slides
A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet . Coordination of f bots with C&C server Bots query the

1k views • 58 slides
Detecting Product Review Spammers using Rating Behaviors Itay Dressler What is Spam? Why

Detecting Product Review Spammers using Rating Behaviors Itay Dressler What is Spam? Why

Detecting Product Review Spammers using Rating Behaviors Itay Dressler What is Spam? Why should you care? How to detect Spam? 2 What is Spam? What is Spam? All forms of malicious manipulation of user generated data so as to

943 views • 56 slides
Web Spam Know Your Neighbors: Web Spam Detection using the Web Topology Presenter: Sadia Masood

Web Spam Know Your Neighbors: Web Spam Detection using the Web Topology Presenter: Sadia Masood

Seminar: Future Of Web Search University of Saarland Web Spam Know Your Neighbors: Web Spam Detection using the Web Topology Presenter: Sadia Masood Tutor : Klaus Berberich Date : 17-Jan-2008 The Agenda Focus of the First Paper

1.22k views • 53 slides
spam, ham and other food or how to distribute spam to 100k email addresses Who am I? Debian

spam, ham and other food or how to distribute spam to 100k email addresses Who am I? Debian

spam, ham and other food or how to distribute spam to 100k email addresses Who am I? Debian Developer since 2003 Listmaster Alioth Admin Maintainer of packages like iproute, icinga, nagios and a lot of other useless stu ff

219 views • 20 slides
Transit Oriented Development BART Board 2020 Workshop Transit Oriented Development:

Transit Oriented Development BART Board 2020 Workshop Transit Oriented Development:

Rendering of Lake Merritt TOD Source: Strada, EBALDC Transit Oriented Development BART Board 2020 Workshop Transit Oriented Development: Discussion Objectives Update on: AB 2923 implementation progress and engagement plan AB

820 views • 38 slides
Where to find them A couple of months back, we discussed targeted traffic. Finding people to

Where to find them A couple of months back, we discussed targeted traffic. Finding people to

PRESENTATION - LIST BUILDING I Love Marketing Meetup: June 2015 List Building for Fun and Profit Presenter: Justin Harris In the Meetup Blurb, I promised to answer these questions about list building: Where do you find these people? How do

382 views • 11 slides
Overview Presentation to Saint Paul Planning Commission May 19, 2017 Ford Site Planning 2007-

Overview Presentation to Saint Paul Planning Commission May 19, 2017 Ford Site Planning 2007-

Overview Presentation to Saint Paul Planning Commission May 19, 2017 Ford Site Planning 2007- present A Decade of Public Engagement Ford Task Force initiated Jan. 2007 45+ meetings with the public and task force 1,300+ different

349 views • 24 slides
Construction Update July 8, 2020 We will pause for just a moment while Zoom adds everyone to the

Construction Update July 8, 2020 We will pause for just a moment while Zoom adds everyone to the

Montlake Project Monthly Construction Update July 8, 2020 We will pause for just a moment while Zoom adds everyone to the meeting. 1 Ho How to w to par participa ticipate in the w te in the webinar binar All attendees are muted. Please

403 views • 15 slides
TECHNOLOGY LITERACY SURVEY TECHNOLOGY LITERACY SURVEY Technology Literacy Tabulation Sheet

TECHNOLOGY LITERACY SURVEY TECHNOLOGY LITERACY SURVEY Technology Literacy Tabulation Sheet

TECHNOLOGY LITERACY SURVEY TECHNOLOGY LITERACY SURVEY Technology Literacy Tabulation Sheet Computer Applications - CIS 1113 Pilot Courses, Fall 2016 Face-to-Face Students Students assessed assessed WINDOWS 7 Pre 58 Post 41 Missed Pre

635 views • 61 slides
Resident Information Residency Coordinators 2014 Log In to Dayforce https://www.dayforcehcm.com

Resident Information Residency Coordinators 2014 Log In to Dayforce https://www.dayforcehcm.com

University Physicians & Surgeons Resident Information Residency Coordinators 2014 Log In to Dayforce https://www.dayforcehcm.com Log In Information Company Name : marshallhealth (all lower case, no spaces) User Name : your five digit

362 views • 20 slides
Technology Information 2013-2014 Teaching Digital Natives in the 21 st Century Tools for

Technology Information 2013-2014 Teaching Digital Natives in the 21 st Century Tools for

Technology Information 2013-2014 Teaching Digital Natives in the 21 st Century Tools for Schools Logging Into the Network Username default first initial middle initial last name (i.e. klallen) Initial password 12345 (must be

446 views • 25 slides
Batch Process What is it? It is: It is not: Student-specific A campus-wide process, run

Batch Process What is it? It is: It is not: Student-specific A campus-wide process, run

Class Permission Number Batch Process What is it? It is: It is not: Student-specific A campus-wide process, run Generic class permission once per semester numbers can be handed out Creates a number of generic to any student

299 views • 10 slides

More recommend