Download - Rustock Botnet and ASNs
![Page 1: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/1.jpg)
Rustock Botnet and ASNs
TPRC 24 September 2011
John S. Quarterman, Quarterman CreationsSerpil Sayin, Koç University
Andrew B. Whinston, U. Texas at Austin
Supported by NSF grant no. 0831338; the usual disclaimers apply.
![Page 2: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/2.jpg)
Spam, Botnets, Security, and Policy
Starting with some published ASN rankings Drill down to Rustock and other botnets Show some effects of a takedown Specific enough to be actionable affected orgs They could use to detect and fix vulnerabilities How to get the orgs to pay attention? Reputational rankings to produce peer pressure A few simple policy suggestions
![Page 3: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/3.jpg)
After the Rustock Takedown
![Page 4: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/4.jpg)
Rustock Takedown and Slowdown
December 2011 Rustock Slowdown 16 March 2011 Rustock Takedown Which ASNs were affected? Effects on overall spam? Using data from CBL blocklist To ASNs and orgs using Team Cymru data Rankings and graphs by SpamRankings.net
![Page 5: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/5.jpg)
Rustock Takedown Rank Effects
![Page 6: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/6.jpg)
16 March 2011 Takedown Daily Graph
Takedown
HardwareOutage
![Page 7: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/7.jpg)
December 2011 Rustock Slowdown
Slowdown
![Page 8: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/8.jpg)
Dec 2010 – July 2011 Top Botnets Recovery
Slowdown
Takedown
![Page 9: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/9.jpg)
Slowdown vs. Takedown
Slowdown: gradual and temporary During slowdown:
Maazben and bobax took up the slack As Rustock returned in Jan, bobax went back down
After slowdown: Maazben also retreated to its old levels Rustock #1, Lethic #2
Takedown: rapid and much longer-lasting But other botnets took up the slack
![Page 10: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/10.jpg)
Dec 2010 Top Spamming ASNs
Increases
During
slowdown
![Page 11: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/11.jpg)
March 2011 Top Spamming ASNs
4766 #1
4766 #9
![Page 12: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/12.jpg)
March 2011 AS 4766's Botnets
Lethic
![Page 13: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/13.jpg)
Dec 2010 AS 9829's Botnets
Bobax
Lethic
![Page 14: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/14.jpg)
March 2011 Top Botnets
Lethic
Maazben
![Page 15: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/15.jpg)
Opportunistic Botnets & Spamming
Knock one down Two more pop up Spammers can just rent from a different botnet Other botnets can use same vulnerabilities
![Page 16: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/16.jpg)
Dec 2010 Top Botnets
Rustock
Lethic
![Page 17: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/17.jpg)
Congratulations Rustock Takedown!
Takedown had more lasting effect than Slowdown
Congratulations! But in both cases other botnets started to take
up the slack Whack-a-mole is fun, but not a solution Need many more takedowns Or many more organizations playing How do we get orgs to do that?
![Page 18: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/18.jpg)
Cyberwar meets IT Security
Generations of warfare 1st: massed troops 2nd tanks and heavy
artillery 3rd maneuver 4th IEDs and suicide
bombs 5th open source gangs
in it for the money
Cyberwarfare responses 1st: key escrow 2nd Internet off switch at
CONUS (Maginot Line) 3rd CERT, FIRST, etc. 4th botnet takedowns 5th economic and
reputational incentives for distributed diverse commons governance
![Page 19: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/19.jpg)
Spam as a Proxy for Infosec
Most orgs keep security problems secret Because they think it will harm their reputation Ahah! Publish reputation and they'll care Need available proxy for security Anti-spam blocklists have spam data Spam comes from botnets which use vulns Just as a sneeze means disease, outbound spam
means poor infosec (Other diseases may not sneeze; for those other
data; come back to that later.)
![Page 20: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/20.jpg)
Peer pressure and Medical orgs
Peer pressure is key: rank similar orgs (Festinger, Luttmer, Apesteguia; see paper for refs)
Spam data is for every org on the Internet, not just ISPs; any ESP (Email Service Provider)
We ranked medical orgs (worldwide, U.S.) Within 2 months they all dropped to zero spam Confirmation from [confidential] medical org: 'The listing on your site added additional impetus to
make sure we “stay clean” so in that regard, you are successful.'
![Page 21: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/21.jpg)
How Rankings Work
Rankings must be: Frequent, comprehensive, and detailed Must compare peers
To be usable: Marketing: brag about good rankings; bad rankings
are incentive to get better so can brag Sales: good reputation for customer retention Diagnostics: drilldowns for clues to what to fix
Producing more comprehensive application of existing Internet security methods
![Page 22: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/22.jpg)
Many rankings examples
FT Business school rankings Vehicle Blue Book Credit rating: Moody, S&P, Fitch And by far the most numerous: sports scores
In leagues, for teams, for players Detailed, earned run average, etc. And composite overall
![Page 23: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/23.jpg)
Further rankings from spam data
Botnet rankings: botnets use known vulnerabilities; orgs infested by botnets prob. have those vulns; not good for their reputation
Vulnerability rankings: an org infested by several botnets which exploit common vulns very likely has those vulns
Infosec experiments: an org can change its infosec and watch rankings to see which infosec works
Single IP address drilldowns: which addresses are spamming, which botnets infest them
![Page 24: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/24.jpg)
Derivative rankings
Normalized (addresses, customers, employees) Susceptibility (speed of infection by botnets) Recidivism (frequency of re-infestation) Improvement (change over time) Composite (weighted average of all the above)
![Page 25: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/25.jpg)
Internet field experiments
We are releasing rankings for one country Then later for a similar country Does the second country change similarly? Can experiment with many rankings Per country, per org category, per data source Does peer pressure on disclosure change
behavior? The rankings themselves provide ways to
determine how well they work
![Page 26: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/26.jpg)
Policy: other data, other rankings SpamRankings.net pioneers reputational peer
rankings related to Internet security Available now because spam data is available Similar rankings could be made with other data:
Phishing sources and servers Breaches, vulns, etc.: you can think of more
A simple policy suggestion: Require making other specific data available Enable multiple rankings by multiple agencies Transparency for diverse cooperation (Elinor Ostrom)
![Page 27: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/27.jpg)
Needed and Not Needed NeededNeeded More data sources Publicly available Frequent, comprehensive More research (data
correlation, ranking effects, law, policy, etc.)
Independent ranking and certification agency(ies)
Many diverse, cooperating entities (rankers, ranked, academia, industry, govt)
Not neededNot needed New Internet
protocols Punitive laws Reports only to govt Sporadic reports Selected by
reporting orgs Dept. of Homeland
Internet Security
![Page 28: Rustock Botnet and ASNs](https://reader035.vdocuments.us/reader035/viewer/2022062315/56814fc9550346895dbd8780/html5/thumbnails/28.jpg)
Acknowledgments
This material is based upon work supported by the National Science Foundation under Grant No. 0831338. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
We also gratefully acknowledge custom data from CBL, PSBL, Fletcher Mattox and the U. Texas Computer Science Department, Quarterman Creations, Gretchen Phillips and GP Enterprise, and especially Team Cymru. None of them are responsible for anything we do, either.