ISIS » Spam

Storm Worm IP List and Country Distribution Statistics

aleksey — Mon, 19 May 2008 21:19:26 +0000

Due to a recent need for creation of fresh blacklist, we have collected and analyzed 16,000+ unique Storm bot IPs over 2 days. Our results confirm some of the findings of this recent paper regarding size of the Storm botnet. It estimates that the Storm botnet’s size is 5,000 – 6,000 unique IPs (lower bound) and 45,000 – 80,000 upper bound.

The majority of infected machines are located in USA, Russia, Mexico, India, Turkey, Brazil and Poland (in that order). The complete list is here. A partial list of top results is below.

United States 1716
Russian Federation 1177
Mexico 869
India 699
Turkey 609

Brazil 453
Poland 427
Viet Nam 366
Korea, Republic of 362
Morocco 330
France 325
Romania 281
Ukraine 235

We have also analyzed the IP distribution per Autonomous System. Most IPs belong to TTnet Autonomous System, Uninet S.A. de C.V., Vietnam Posts and Telecommunications, SBC Internet Services and BHARTI BT INTERNET LTD. A complete list is here and partial top results are shown below.

TTnet Autonomous System 838
Uninet S.A. de C.V. 792
Vietnam Posts and Telecommunications (VNPT) 605
SBC Internet Services 420
BHARTI BT INTERNET LTD. 362
Itissalat Al-MAGHRIB 330
Comcast Cable Communications, Inc. 269
Polish Telecom’s commercial IP network 260
MTU-Intel Moscow region network 255
National Internet Backbone 235
Romania Data Systems S.A. 222

The IPs were collected by running a Storm bot client in a controlled environment. Also, keep in mind that resolving IPs to their AS numbers and countries using publicly available information in an automated way does not always give an answer (hence the “__UNKNOWN__”’s in the complete lists).

Malware MD5: 8d743df03e17526bddba57a3c7c366ca

Interesting Storm Links:
Sudosecure
Storm Spam wiki
Chasing Storm Into 2008 – Trend Labs

Attacks on BitTorrent

Brad Schonhorst — Fri, 18 Jan 2008 22:11:45 +0000

Many media companies are paying big money to try and stop file sharing of copyrighted material. While the material in question is being shared illegally, many of the techniques these companies employ effect everyone by generating much additional internet traffic. In this presentation I present research into some new techniques currently being used to attack BitTorrent swarms and the prevalence of these attacks.

BitTorrent Presentation

Detecting Botnet Membership

Brad Schonhorst — Sat, 21 Apr 2007 03:03:36 +0000

More and more often we hear about botnets being responsible for a larger piece of Internet crime today. Botnets are complex systems and there are many different approaches to combating the problem. I decided to take a look at some of the more recent techniques to discover bot malware infection from network traffic. I came across two particularly interesting methods of identifying infected machines. One is to look at the most often used command and control technique – IRC channels – and try to determine ‘evil’ channels which provide commands for zombie machines. Another idea is to look for DNS Black List lookups, which may be performed by bots to test that an IP address is not listed before using it to send spam. Attached is a short presentation I gave for the ISIS computer lab.

Botnet Membership Detection within the Network

Email Source Authentication through Network Services: An Open Question

Michael Daniluk — Fri, 09 Feb 2007 19:47:48 +0000

Suppose you have an email that claims to be from a particular web destination (”Chase Bank”, “eBay”, “Middle of Nowhere Bank”, etc.) and directs you to a url purportedly at that location. Suppose further that you possess the capability of extracting both these pieces of information from any email if the email falls into said category. So you have

A. Purported Web Destination of Email
B. URL Email is Instructing you to Follow

So here is an open-ended question: how can you use existing network services to determine that B is an authentic location in A? A subset of existing spam filtering heuristics work quite well towards this end (visible text of html link does not match actual url, href attribute is expressed as IP address, etc.), but using network services opens of a new dimension of validation, one in which the data gathered for heuristic application are outside the control of the email’s sender. So post any ideas you have. Kurt asked a similar question at an SFS meeting last semester pertaining to the parasitic storage project. Whereas his aim was using network services for caching, my aim is using them for source authentication. Thanks and please keep the discussion focused, at least primarily, on this particular method.