SPAM/BOTNETS and Malware Neil Warner, CIO, GoDaddy.com Moderator: Dan Kaplan, deputy editor, SC Magazine

We Put Up Walls

Modern Day Fort

How do you Detect SPAM Mails?– Key words– Heuristics/Abnormal behavior

What can you do to defend against it?– SPAM Filters– Reputation services to block traffic from those

Spamming IP addresses– Take down the root cause

War Against SPAM

SPAM

US34%

CN16%

RU12%

UK7%

AR7%

BR6%

FR5%

ES5%

RO4%

DE4%

What are Botnets used for? How do we detect them? How can we defend Against it? Botnet lifecycle

– Bot-herder configures initial bot parameters such as infection vectors, payload, stealth, C&C details

– Register a DDNS– Register a static IP– Bot-herder launches or seeds new bot(s)– Bots spread– Causes an increase of DDoS being sent to the victim– Losing bots to rival botnets

Bot Army

Botnets

US53%

RU8%

DE8%

UK7%

FR6%

UA6%

NL5%

CA3%

SE2%

ES2%

Different types of Malware Broad Category

– Trojans, Rootkits, Backdoors Malware for Fun and Profit

– Spyware, Key loggers, Dialers, Bots, Proxies, SEO etc..

Grayware

Camouflaged Attacks

Malware

US45%

CN11%

RU9%

DE8%

NL6%

UA6%

UK4% KR

3% CA3%

CZ3%

Top 10 Malware Countries

Threat Landscape - Brute Force

Threat Landscape - FTP

Threat Landscape - SSH

Threat Landscape - Conficker

Threat Landscape - Slammer

Threat Landscape - Fake Search Agents

Threat Landscape - e107 bot

How Does Malware Happen

$$$$$$

<html>Holy Crap! Infected! Click Here to clean</html>

GET http://intermediary.com/ll.php

Make HTTP calls to infection script and site is infected

Compromised Attack Server(s)

Servers with Compromised Accounts(Zeus/Phishing/etc)

FTP/SSH Upload of Attack Shell/Script

Casual Web User Visits Infected Site

End Users

Fake AV

<script>http://intermediary.com/ll.php</script>

Disposable Domain Name

0 Day vulnerability in a web application or Web Server– Compromises the web sites– Redirects the end user to a malware site or competitors website.– Example: Fake AV Campaign

Fake AV

What Can We Do?

Network/Application Security toolsFirewallsIntrusion Prevention SystemsIntrusion Detection SystemsWeb Application FirewallsNetwork Access ControlsAntivirusReputation based AccessCode Audits

The Most Important Deterent

Security Professionals

Is The Internet Worth IT?

Thank You| Q&A

Neil Warner, CIO GoDaddy.comnwarner@godaddy.com

https://zeustracker.abuse.ch/ http://www.malwaredomainlist.com/ http://www.phishtank.com/ http://www.clean-mx.de/ http://en.wikipedia.org/wiki/Botnet http://en.wikipedia.org/wiki/Malware

References