TY - GEN
T1 - A strategic analysis of spam botnets operations
AU - Thonnard, Olivier
AU - Dacier, Marc
N1 - Generated from Scopus record by KAUST IRTS on 2022-09-12
PY - 2011/10/13
Y1 - 2011/10/13
N2 - We present in this paper a strategic analysis of spam botnets operations, i.e., we study the inter-relationships among botnets through their spam campaigns, and we focus on identifying similarities or differences in their modus operandi. The contributions of this paper are threefold. First, we provide an in-depth analysis which, in contrast with previous studies on spamming bots, focuses on the long-term, strategic behavior of spam botnets as observed through their aggregate spam campaigns. To that end, we have analyzed over one million spam records collected by Symantec.cloud (formerly Message Labs) through worldwide distributed spamtraps. Secondly, we demonstrate the usefulness of emerging attack attribution methodologies to extract intelligence from large spam data sets, and to correlate spam campaigns according to various combinations of different features. By leveraging these techniques relying on data fusion and multi-criteria decision analysis, we show that some tight relationships exist among different botnet families (like Rustock/Grum or Lethic/Maazben), but we also underline some profound differences in spam campaigns performed by other bots, such as Rustock versus Lethic, Bagle or Xarvester. Finally, we use the very same attribution methodology to analyze the recent Rustock take-down, which took place on March 17, 2011. As opposed to previous claims, our experimental results show that Bagle has probably not taken over Rustock's role, but instead, we found some substantial evidence indicating that part of Rustock activity may have been offoaded to Grum shortly after the take-down operation. Copyright © 2011 ACM.
AB - We present in this paper a strategic analysis of spam botnets operations, i.e., we study the inter-relationships among botnets through their spam campaigns, and we focus on identifying similarities or differences in their modus operandi. The contributions of this paper are threefold. First, we provide an in-depth analysis which, in contrast with previous studies on spamming bots, focuses on the long-term, strategic behavior of spam botnets as observed through their aggregate spam campaigns. To that end, we have analyzed over one million spam records collected by Symantec.cloud (formerly Message Labs) through worldwide distributed spamtraps. Secondly, we demonstrate the usefulness of emerging attack attribution methodologies to extract intelligence from large spam data sets, and to correlate spam campaigns according to various combinations of different features. By leveraging these techniques relying on data fusion and multi-criteria decision analysis, we show that some tight relationships exist among different botnet families (like Rustock/Grum or Lethic/Maazben), but we also underline some profound differences in spam campaigns performed by other bots, such as Rustock versus Lethic, Bagle or Xarvester. Finally, we use the very same attribution methodology to analyze the recent Rustock take-down, which took place on March 17, 2011. As opposed to previous claims, our experimental results show that Bagle has probably not taken over Rustock's role, but instead, we found some substantial evidence indicating that part of Rustock activity may have been offoaded to Grum shortly after the take-down operation. Copyright © 2011 ACM.
UR - http://dl.acm.org/citation.cfm?doid=2030376.2030395
UR - http://www.scopus.com/inward/record.url?scp=80053642264&partnerID=8YFLogxK
U2 - 10.1145/2030376.2030395
DO - 10.1145/2030376.2030395
M3 - Conference contribution
SN - 9781450307888
SP - 162
EP - 171
BT - ACM International Conference Proceeding Series
ER -