{"id":581,"date":"2009-05-05T23:41:07","date_gmt":"2009-05-06T04:41:07","guid":{"rendered":"http:\/\/www.jasonmorrison.net\/content\/?p=581"},"modified":"2009-05-05T23:41:07","modified_gmt":"2009-05-06T04:41:07","slug":"how-spam-and-malware-botnets-work-two-papers","status":"publish","type":"post","link":"http:\/\/www.jasonmorrison.net\/content\/2009\/how-spam-and-malware-botnets-work-two-papers\/","title":{"rendered":"How spam and malware botnets work &#8211; two papers"},"content":{"rendered":"<p>I read two reports today about large-scale botnets that really pointed out that security is still an open problem on the web.  Recently, <a href=\"http:\/\/www.darkreading.com\/security\/client\/showArticle.jhtml?articleID=217201422\">researchers got access to a nasty botnet, Torpig<\/a> (original paper: <a href=\" http:\/\/www.cs.ucsb.edu\/~seclab\/projects\/torpig\/torpig.pdf\">Your Botnet is My Botnet: Analysis of a Botnet Takeover<\/a>).  A few months earlier <a href=\"http:\/\/voices.washingtonpost.com\/securityfix\/2008\/11\/study_spam_still_profitable_at.html\">researchers hijacked the Storm Worm<\/a> and looked at its profitability (original paper: <a href=\"http:\/\/www.icsi.berkeley.edu\/pubs\/networking\/2008-ccs-spamalytics.pdf\">Spamalytics: An Empirical Analysis of Spam Marketing Conversion<\/a>).  Both papers are fascinating, but terrifying reads. <\/p>\n<p>Some findings:<\/p>\n<ul>\n<li>In 10 days, a botnet running on 160,000 machines stole credentials for over 8,000 bank accounts.<\/li>\n<li>About 1 in 10 people who open a spam email click through to get infected by the malware.<\/li>\n<li>350 million spam emails resulted in only 28 sales, but the average purchase was $100.<\/li>\n<\/ul>\n<p>How do these botnets get control of machines?  How do they make money?  Whether it&#8217;s a spammer who needs to get someone to make a purchase on a website or a scammer stealing credit card numbers, passwords, and other information, ultimately you need to get someone to a bad website.  Think about all the paths you might take to different sites during the day:<\/p>\n<ul>\n<li>Via a web search<\/li>\n<li>Clicking on a link in an email<\/li>\n<li>Going directly to a favorite site<\/li>\n<li>Clicking through an ad<\/li>\n<\/ul>\n<p>Spammers and scammers try to take advantage of all of those methods, and given the huge volumes of machines at their disposal, it&#8217;s a wonder search engines, spam filters, and advertising systems protect users as well as they do now.  Between the first and third bullet point above, there&#8217;s a huge motivation to hack otherwise good sites to inject drive-by download malware &#8211; <a href=\"http:\/\/www.jasonmorrison.net\/content\/2008\/what-i-did-when-my-site-showed-up-as-a-bad-link\/\">it can happen to anyone<\/a>. <\/p>\n<p>So what can we do about it?  I think it ultimately comes down to a combination of smarter automated methods, better ways to establish trustworthiness, and removing the economic incentives for spamming, identity theft, and hacking.  I have a few posts in mind about some current tools that help with the trust issue and how we might be able to build a social web of trust.  <\/p>\n<p>This isn&#8217;t a new discussion, Tim Berners-Lee has been <a href=\"http:\/\/www.w3.org\/1998\/02\/Potential.html\">writing about the web of trust<\/a> since the 1990s.  But all the work done since then has yet to really solve these problems.  And really, so long as a few people are willing to click on a malware link or buy drugs via a spam email, it will never stop.  <\/p>\n","protected":false},"excerpt":{"rendered":"<p>I read two reports today about large-scale botnets that really pointed out that security is still an open problem on the web. Recently, researchers got access to a nasty botnet, Torpig (original paper: Your Botnet is My Botnet: Analysis of a Botnet Takeover). A few months earlier researchers hijacked the Storm Worm and looked at [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[19],"tags":[635,634,223,636,220,95,310],"class_list":["post-581","post","type-post","status-publish","format-standard","hentry","category-blog","tag-botnets","tag-malware","tag-security","tag-social-web","tag-spam","tag-trust","tag-webspam"],"aioseo_notices":[],"_links":{"self":[{"href":"http:\/\/www.jasonmorrison.net\/content\/wp-json\/wp\/v2\/posts\/581","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.jasonmorrison.net\/content\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.jasonmorrison.net\/content\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.jasonmorrison.net\/content\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.jasonmorrison.net\/content\/wp-json\/wp\/v2\/comments?post=581"}],"version-history":[{"count":1,"href":"http:\/\/www.jasonmorrison.net\/content\/wp-json\/wp\/v2\/posts\/581\/revisions"}],"predecessor-version":[{"id":582,"href":"http:\/\/www.jasonmorrison.net\/content\/wp-json\/wp\/v2\/posts\/581\/revisions\/582"}],"wp:attachment":[{"href":"http:\/\/www.jasonmorrison.net\/content\/wp-json\/wp\/v2\/media?parent=581"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.jasonmorrison.net\/content\/wp-json\/wp\/v2\/categories?post=581"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.jasonmorrison.net\/content\/wp-json\/wp\/v2\/tags?post=581"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}