SlideShare uma empresa Scribd logo

How To Catch A Hidden Spammer

Blue Coat
Blue Coat

Find out out how easily detect and stop a hidden spammer. These methods will protect you and your company from spam and will keep you from getting flagged as a spammer.

Tecnologia
1 de 19
Baixar para ler offline
HOW TO FIND A HIDDEN SPAMMER By Andrew Brandt Solera Networks
HOW IT STARTS The typical spam campaign starts with a social engineering hook, which attempts to convince the reader to click a link in the message body.
SAY HELLO TO MALWARE These links can lead to pages hosting malware .EXE files inside of .ZIP folders. They can also use browser exploits to force and install on the victims computer.
THESE ARE STEPPING STONES These specialized Trojans retrieve instructions from a command-and- control server that include the body of the spam message, and a list of mail servers and victim email addresses to which the Trojan sends the messages.
HOW THEY WORK These Trojans retrieve instructions from a server that include the body of the spam message, and a list of mail servers and victim email addresses to which the Trojan sends the messages.
THE GOOD NEWS / THE BAD NEWS GOOD NEWS Easy to identify and segregate the offending machines. BAD NEWS Thousands more people could end up receiving malicious messages — which might result in your own network ending up on a spam blacklist
USING THE RIGHT TOOLS Using Solera's DeepSee, it detected that in just 20 seconds the Trojan dispatched 181 identical messages.
USING DEEPSEE Using DeepSee, you can take note of the IP address(es) of your usual mail servers, then create a Favorite with queries. ipv4_address!=your_mail_server application_id=SMTP That will bring to the fore all non- mailservers that are sending email using the SMTP protocol.
SETTING UP ALERTS Once you’ve created that Favorite, you can set up alerts to watch for traffic matching the rule. Typical malicious behavior might involve a large volume of mail being sent by machines meeting these criteria in a short period of time. The most obvious standouts will be sending messages at odd hours, such as when nobody should be at work (holidays/weekends).
CATCHING THE SLOWER ONES Look at the traffic generated by a much more low-key spam relay Trojan. The Trojan responsible sent these Canadian pharmacy, knockoff watch, and “dating site” spams, transmitted at a much slower rate of about two messages per minute. While the volume may keep the messages under the radar, you might consider setting up alerts looking for the subject matter of the messages.
CATCHING THE SLOWER ONES Detect and extract the command-and-control traffic between the infected host and its botnet HQ. Spam relay Trojans must receive instructions, or they can’t do their job. Check out this extraction of traffic generated by just such a Trojan.
CATCHING THE SLOWER ONES The CnC traffic is made even more obvious by its inclusion of a second, extraneous port number" (Hint: Search for http_uri~:8080:80 in the Path Bar.)
MORE DISCOVERIES Once you find the CnC traffic, extraction can lead to more discoveries, but in this case, the traffic seems to be unreadable.
IS IT REALLY UNREADABLE? Well, unreadable but not indecipherable. A little bit- shifting of the binary data in this artifact reveals the true contents of the CnC message. The first set of CnC exchanges usually include all the instructions the bot needs, such as…
HOW TO DECODE …the message body of the spam it will send…
HOW TO DECODE …the link to the site hosting the malicious code, which will be embedded in the message…
HOW TO DECODE …and, to my utterly astonished amusement, a list of CnC server IP addresses the botmaster will use to control the Trojan.
THE LAST EXERCISE This last one really makes the whole exercise worthwhile: The bot itself downloads these IPs every time it checks in with the CnC server. In essence, it’s keeping us updated with a list of who the bot can talk to.
Read the full article here

Recomendados

Hacking
HackingHacking
HackingSUNY Oneonta
 
Backtrack Manual Part10
Backtrack Manual Part10Backtrack Manual Part10
Backtrack Manual Part10Nutan Kumar Panda
 
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacks
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacksKipp Berdiansky on Tcp syn flooding and ip spoofing attacks
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacksKipp Berdiansky
 
CAS MAA Infographic
CAS MAA InfographicCAS MAA Infographic
CAS MAA InfographicBlue Coat
 
Internet security
Internet securityInternet security
Internet securitygOhElprashanT
 
Internet security
Internet securityInternet security
Internet securitygohel
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And AlifeZotronix
 
Botnets
BotnetsBotnets
BotnetsKavisha Miyan
 

Recomendados

Hacking
HackingHacking
HackingSUNY Oneonta
 
Backtrack Manual Part10
Backtrack Manual Part10Backtrack Manual Part10
Backtrack Manual Part10Nutan Kumar Panda
 
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacks
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacksKipp Berdiansky on Tcp syn flooding and ip spoofing attacks
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacksKipp Berdiansky
 
CAS MAA Infographic
CAS MAA InfographicCAS MAA Infographic
CAS MAA InfographicBlue Coat
 
Internet security
Internet securityInternet security
Internet securitygOhElprashanT
 
Internet security
Internet securityInternet security
Internet securitygohel
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And AlifeZotronix
 
Botnets
BotnetsBotnets
BotnetsKavisha Miyan
 
Walowdac Botnet Whitepaper
Walowdac Botnet WhitepaperWalowdac Botnet Whitepaper
Walowdac Botnet WhitepaperKim Jensen
 
Walowdac Botnet Whitepaper
Walowdac Botnet WhitepaperWalowdac Botnet Whitepaper
Walowdac Botnet Whitepaperguest5152f27
 
Recognizing security threats
Recognizing security threatsRecognizing security threats
Recognizing security threatsKishore Kumar
 
Security threats
Security threatsSecurity threats
Security threatsQamar Farooq
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9Geoff Pesimo
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In DetailGreater Noida Institute Of Technology
 
Lab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxLab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxsmile790243
 
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...ncct
 
Breaking ssl
Breaking sslBreaking ssl
Breaking sslVinayak Raghuvamshi
 
31.ppt
31.ppt31.ppt
31.pptssuserec53e73
 
31.ppt
31.ppt31.ppt
31.pptKarmanChandi
 
DoS/DDoS
DoS/DDoSDoS/DDoS
DoS/DDoSVihari Piratla
 
Virus-trojan and salami attacks
Virus-trojan and salami attacksVirus-trojan and salami attacks
Virus-trojan and salami attacksariifuddin
 
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECTHACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECTDHRUV562167
 
Hacking
HackingHacking
Hackingrameswara reddy venkat
 
Hacking
HackingHacking
HackingRoshan Chaudhary
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeydicanhasfay
 
trojon horse Seminar report
trojon horse Seminar report trojon horse Seminar report
trojon horse Seminar reportNamanKikani
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingSyed Irshad Ali
 
about botnets
about botnetsabout botnets
about botnetsAlain Bindele
 
Education is the Key to Fighting Cyber Crime
Education is the Key to Fighting Cyber CrimeEducation is the Key to Fighting Cyber Crime
Education is the Key to Fighting Cyber CrimeBlue Coat
 
What is Heartbleed?
What is Heartbleed?What is Heartbleed?
What is Heartbleed?Blue Coat
 

Mais conteúdo relacionado

Semelhante a How To Catch A Hidden Spammer

Walowdac Botnet Whitepaper
Walowdac Botnet WhitepaperWalowdac Botnet Whitepaper
Walowdac Botnet WhitepaperKim Jensen
 
Walowdac Botnet Whitepaper
Walowdac Botnet WhitepaperWalowdac Botnet Whitepaper
Walowdac Botnet Whitepaperguest5152f27
 
Recognizing security threats
Recognizing security threatsRecognizing security threats
Recognizing security threatsKishore Kumar
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9Geoff Pesimo
 
Lab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxLab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxsmile790243
 
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...ncct
 
Virus-trojan and salami attacks
Virus-trojan and salami attacksVirus-trojan and salami attacks
Virus-trojan and salami attacksariifuddin
 
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECTHACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECTDHRUV562167
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeydicanhasfay
 
trojon horse Seminar report
trojon horse Seminar report trojon horse Seminar report
trojon horse Seminar reportNamanKikani
 

Semelhante a How To Catch A Hidden Spammer (20)

Walowdac Botnet Whitepaper
Walowdac Botnet WhitepaperWalowdac Botnet Whitepaper
Walowdac Botnet Whitepaper
 
Walowdac Botnet Whitepaper
Walowdac Botnet WhitepaperWalowdac Botnet Whitepaper
Walowdac Botnet Whitepaper
 
Recognizing security threats
Recognizing security threatsRecognizing security threats
Recognizing security threats
 
Security threats
Security threatsSecurity threats
Security threats
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In Detail
 
Lab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxLab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docx
 
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...
 
Breaking ssl
Breaking sslBreaking ssl
Breaking ssl
 
31.ppt
31.ppt31.ppt
31.ppt
 
31.ppt
31.ppt31.ppt
31.ppt
 
DoS/DDoS
DoS/DDoSDoS/DDoS
DoS/DDoS
 
Virus-trojan and salami attacks
Virus-trojan and salami attacksVirus-trojan and salami attacks
Virus-trojan and salami attacks
 
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECTHACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
 
Hacking
HackingHacking
Hacking
 
Hacking
HackingHacking
Hacking
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeyd
 
trojon horse Seminar report
trojon horse Seminar report trojon horse Seminar report
trojon horse Seminar report
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
about botnets
about botnetsabout botnets
about botnets
 

Mais de Blue Coat

Education is the Key to Fighting Cyber Crime
Education is the Key to Fighting Cyber CrimeEducation is the Key to Fighting Cyber Crime
Education is the Key to Fighting Cyber CrimeBlue Coat
 
What is Heartbleed?
What is Heartbleed?What is Heartbleed?
What is Heartbleed?Blue Coat
 
Infographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL EncryptionInfographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL EncryptionBlue Coat
 
Empowering the Campus Network
Empowering the Campus NetworkEmpowering the Campus Network
Empowering the Campus NetworkBlue Coat
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionBlue Coat
 
Why Your Mobile Device Isn’t As Secure As You Think
Why Your Mobile Device Isn’t As Secure As You ThinkWhy Your Mobile Device Isn’t As Secure As You Think
Why Your Mobile Device Isn’t As Secure As You ThinkBlue Coat
 
Content Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat ProtectionContent Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat ProtectionBlue Coat
 
Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101Blue Coat
 
Advanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle InfographicAdvanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle InfographicBlue Coat
 
How Safe Is YOUR Social Network?
How Safe Is YOUR Social Network?How Safe Is YOUR Social Network?
How Safe Is YOUR Social Network?Blue Coat
 
Big Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat ProtectionBig Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat ProtectionBlue Coat
 
Are You a Hacker's Target?
Are You a Hacker's Target?Are You a Hacker's Target?
Are You a Hacker's Target?Blue Coat
 

Mais de Blue Coat (12)

Education is the Key to Fighting Cyber Crime
Education is the Key to Fighting Cyber CrimeEducation is the Key to Fighting Cyber Crime
Education is the Key to Fighting Cyber Crime
 
What is Heartbleed?
What is Heartbleed?What is Heartbleed?
What is Heartbleed?
 
Infographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL EncryptionInfographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL Encryption
 
Empowering the Campus Network
Empowering the Campus NetworkEmpowering the Campus Network
Empowering the Campus Network
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat Protection
 
Why Your Mobile Device Isn’t As Secure As You Think
Why Your Mobile Device Isn’t As Secure As You ThinkWhy Your Mobile Device Isn’t As Secure As You Think
Why Your Mobile Device Isn’t As Secure As You Think
 
Content Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat ProtectionContent Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat Protection
 
Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101
 
Advanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle InfographicAdvanced Threat Protection Lifecycle Infographic
Advanced Threat Protection Lifecycle Infographic
 
How Safe Is YOUR Social Network?
How Safe Is YOUR Social Network?How Safe Is YOUR Social Network?
How Safe Is YOUR Social Network?
 
Big Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat ProtectionBig Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat Protection
 
Are You a Hacker's Target?
Are You a Hacker's Target?Are You a Hacker's Target?
Are You a Hacker's Target?
 

Último

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Último (20)

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

How To Catch A Hidden Spammer

  • 1. HOW TO FIND A HIDDEN SPAMMER By Andrew Brandt Solera Networks
  • 2. HOW IT STARTS The typical spam campaign starts with a social engineering hook, which attempts to convince the reader to click a link in the message body.
  • 3. SAY HELLO TO MALWARE These links can lead to pages hosting malware .EXE files inside of .ZIP folders. They can also use browser exploits to force and install on the victims computer.
  • 4. THESE ARE STEPPING STONES These specialized Trojans retrieve instructions from a command-and- control server that include the body of the spam message, and a list of mail servers and victim email addresses to which the Trojan sends the messages.
  • 5. HOW THEY WORK These Trojans retrieve instructions from a server that include the body of the spam message, and a list of mail servers and victim email addresses to which the Trojan sends the messages.
  • 6. THE GOOD NEWS / THE BAD NEWS GOOD NEWS Easy to identify and segregate the offending machines. BAD NEWS Thousands more people could end up receiving malicious messages — which might result in your own network ending up on a spam blacklist
  • 7. USING THE RIGHT TOOLS Using Solera's DeepSee, it detected that in just 20 seconds the Trojan dispatched 181 identical messages.
  • 8. USING DEEPSEE Using DeepSee, you can take note of the IP address(es) of your usual mail servers, then create a Favorite with queries. ipv4_address!=your_mail_server application_id=SMTP That will bring to the fore all non- mailservers that are sending email using the SMTP protocol.
  • 9. SETTING UP ALERTS Once you’ve created that Favorite, you can set up alerts to watch for traffic matching the rule. Typical malicious behavior might involve a large volume of mail being sent by machines meeting these criteria in a short period of time. The most obvious standouts will be sending messages at odd hours, such as when nobody should be at work (holidays/weekends).
  • 10. CATCHING THE SLOWER ONES Look at the traffic generated by a much more low-key spam relay Trojan. The Trojan responsible sent these Canadian pharmacy, knockoff watch, and “dating site” spams, transmitted at a much slower rate of about two messages per minute. While the volume may keep the messages under the radar, you might consider setting up alerts looking for the subject matter of the messages.
  • 11. CATCHING THE SLOWER ONES Detect and extract the command-and-control traffic between the infected host and its botnet HQ. Spam relay Trojans must receive instructions, or they can’t do their job. Check out this extraction of traffic generated by just such a Trojan.
  • 12. CATCHING THE SLOWER ONES The CnC traffic is made even more obvious by its inclusion of a second, extraneous port number" (Hint: Search for http_uri~:8080:80 in the Path Bar.)
  • 13. MORE DISCOVERIES Once you find the CnC traffic, extraction can lead to more discoveries, but in this case, the traffic seems to be unreadable.
  • 14. IS IT REALLY UNREADABLE? Well, unreadable but not indecipherable. A little bit- shifting of the binary data in this artifact reveals the true contents of the CnC message. The first set of CnC exchanges usually include all the instructions the bot needs, such as…
  • 15. HOW TO DECODE …the message body of the spam it will send…
  • 16. HOW TO DECODE …the link to the site hosting the malicious code, which will be embedded in the message…
  • 17. HOW TO DECODE …and, to my utterly astonished amusement, a list of CnC server IP addresses the botmaster will use to control the Trojan.
  • 18. THE LAST EXERCISE This last one really makes the whole exercise worthwhile: The bot itself downloads these IPs every time it checks in with the CnC server. In essence, it’s keeping us updated with a list of who the bot can talk to.
  • 19. Read the full article here