DOI QR코드

DOI QR Code

Detection of Zombie PCs Based on Email Spam Analysis

  • Received : 2011.11.04
  • Accepted : 2012.04.24
  • Published : 2012.05.30

Abstract

While botnets are used for various malicious activities, it is well known that they are widely used for email spam. Though the spam filtering systems currently in use block IPs that send email spam, simply blocking the IPs of zombie PCs participating in a botnet is not enough to prevent the spamming activities of the botnet because these IPs can easily be changed or manipulated. This IP blocking is also insufficient to prevent crimes other than spamming, as the botnet can be simultaneously used for multiple purposes. For this reason, we propose a system that detects botnets and zombie PCs based on email spam analysis. This study introduces the concept of "group pollution level" - the degree to which a certain spam group is suspected of being a botnet - and "IP pollution level" - the degree to which a certain IP in the spam group is suspected of being a zombie PC. Such concepts are applied in our system that detects botnets and zombie PCs by grouping spam mails based on the URL links or attachments contained, and by assessing the pollution level of each group and each IP address. For empirical testing, we used email spam data collected in an "email spam trap system" - Korea's national spam collection system. Our proposed system detected 203 botnets and 18,283 zombie PCs in a day and these zombie PCs sent about 70% of all the spam messages in our analysis. This shows the effectiveness of detecting zombie PCs by email spam analysis, and the possibility of a dramatic reduction in email spam by taking countermeasure against these botnets and zombie PCs.

Keywords

References

  1. M. Feily, A. Shahrestani and S. Ramadass, "A Survey of Botnet and Botnet detection," in Proc. of in Third International Conference on Emerging Security Information, Systems and Technologies, 2009.
  2. Symantec, http://www.symantec.com/
  3. M. Bailey, E. Cooke, F. Jahnian, Y. Xu, and M. Karir, "A survey of botnet technology and defenses," Cyber-security Applications and Technology Conference for Homeland Security, pp.299-304, 2009.
  4. The Register, "DDoS attacks fall as crackers turn to spam,"
  5. MessageLabs, http://www.messagelabs.com/
  6. Zhu, Z. Lu, G., Chen, Y., Fu, Z.J., Roberts, P. and Han, K., "Botnet research survey," Computer Software and Applications, 2008.
  7. N.C. Paxton, G.J. Ahn, R. Kelly, K. Pearson and B.T. Chu, "Collecting and Analyzing Bots in a Systematic Honeynet-based Testbed Environment," in Proc. of the 11th Colloquium for Information Systems Security Education, 2007.
  8. Zhuge, J. and Holz, T. and Han, X. and Guo, J. and Zou, W., "Characterizing the irc-based botnet phenomenon," Peking University & University of Mannheim Technical Report, 2007.
  9. G. Gu, R. Perdisci, Z. Zhang and W. Lee, "BotMiner: clustering analysis of network traffic for protocol-and structure-independent botnet detection," in Proc. of the 17th conference on Security symposium, pp.139-154, 2008.
  10. Hyunsang Choi, Hanwoo Lee, Heejo Lee and Hyogon Kim, "Botnet detection by monitoring group activities in DNS traffic," IEEE International Conference Computer and Information Technology(CIT), 2007.
  11. Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten and I. Osipkov, "Spamming Botnets: Signatures and characteristics," SIGCOMM'08, Aug.2008.
  12. A. Ranachandran, N. Feamster and S. Vempala, "Filtering spam with behavioral blacklisting," CCS'07, 2007.
  13. J.P. John, A. Moshchuk, S.D. Gribble and A. Krishnamurthy, "Studying spamming botnets using botlab," USENIX, 2009.
  14. L. Zhuang, J. Dunagan, D.R. Simon, H.J. Wang and J.D. Tygar, "Characterizing botnets from email spam records," in Proc. of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, 2008.
  15. P. Graham, "Different methods of stopping spam," http://www.windowsecurity.com/, 2003
  16. MP Collins, TJ Shimeall, S Faber, J Janies, R Weaver and MD Shon, "Using uncleanliness to predict future botnet addresses," in Proc. of the 7th ACM SIGCOMM conference on Internet measurement, 2007.
  17. K.S. Han, Y.H. Shin and E.G. Im, "A study of spam-spread malware analysis and countermeasure framework," in Journal of Security Engineering, 2010.
  18. Hyun Cheol Jeong, Huy Kang Kim, Sangjin Lee, Joo Hyung Oh, "Study for tracing zombie pcs and botnet using an email spam trap," in Journal of the Korea Institute of Information Security and Cryptology, vol.21, no.3, pp.3-188, Jun.2011.
  19. Sophos, "Security threat report 2011," 2011.

Cited by

  1. Finding Rotten Eggs: A Review Spam Detection Model using Diverse Feature Sets vol.12, pp.10, 2012, https://doi.org/10.3837/tiis.2018.10.026