Botnet judo fights spam with a flip

Compromised computers spew spam.

In judo, an attacker’s assets are turned into liabilities by a defender. The attacker’s attributes like weight and size are leveraged against the aggressor and used to neutralize him or her with a flip. A similiar tactic to fight spam propogated by botnets has been developed by an octet of researchers.

The team from the International Computer Science Institute in Berkeley, Calif. and University of California in San Diego–Andreas Pitsillidis, Kirill Levchenko, Christian Kreibich, Chris Kanich, Geoffrey M. Voelker, Vern Paxson, Nicholas Weaver, and Stefan Savage–have developed a way to flip the software running a botnet so it assists spam fighters in blocking the cyber junk spewed by the malware.

The researchers, who will be presenting their findings next month at the 17th Annual Network and Distributed System Security Symposium in San Diego in a paper titled “Botnet Judo: Fighting Spam with Itself,” turn a technique deployed by botware to disguise its nefarious activity from spam assassins into a tool for blocking junk email.

Here’s how the technique works. To fool spam filters analyzing the text of a spam message, a botware program will periodically make changes in its output. To do that, it uses a template. The template not only specifies the content of a message, but it also determines how to vary that content in future iterations. If those templates could be cracked, the team reasoned, then they could be used to block the bot’s output.

After analyzing 1000 spam messages from one compromised machine–about 10 minutes output for a bot engine–the boffins were able to construct the template. With that knowledge, they could appropriately modify spam filters to block 100 percent of the spam generated from the infected machine. Better yet, they could do it without producing a single false positive.

“This is an interesting approach which really differs by using the bots themselves as the oracles for producing the filters,” Michael O’Reirdan, chairman of the Messaging Anti-Abuse Working Group told the New Scientist in an interview.

However, it does take some time to crack the template. In the spam world, even a short delay can be enough time to unleash a raft of junk. Botnets have grown so large, Reirdan added, that even a one minute delay in cracking the template would be “long enough for a very substantial spam campaign.”

While the spam battlers’ research garnered kudos from many quarters, one security expert was less than impressed by their efforts. “All you have to do is download the malware, capture the spam traffic, and then use the traffic to build an anti-spam corpus of rules,” wrote Terry Zink, a program manager for Microsoft’s Forefront Online Security unit, in his Anti-malware blog. “In other words, it’s the next step in doing what anti-spam vendors have been doing since 2002.”

He questioned how effective the template technique would be in practice. In order for it to have a significant impact on spam, he reasoned, bad apps from many botnets would need to be captured not just one. That could be a daunting task.

What’s more, botware isn’t a static target, he points out. Malware on the zombie nets often updates itself automatically. A template that works today might not work tomorrow. Any anti-spam software would have to keep pace with those changes to make sure it’s correctly identifying how the malware is sending out its nasty payloads.

In addition, he continued, all botware doesn’t directly send out spam. Some of them are designed to compromise  email services like Hotmail, Gmail and Yahoo mail. Once they’ve done that, they set up accounts there and use those accounts to distribute their junk. Intercepting the traffic from those kinds of bots would have a limited impact on their ability to generate spam.

He also noted that because of the competitiveness of the botware universe, malware writers often design their programs to zap any other black apps on a targeted computer. So a template could be created for a piece of botware that subsequently gets wiped by a competitor. In that case, the compromised computer will restart pumping out its noisome payloads unabated.

Nevertheless, Zink doesn’t totally write off the researchers efforts. “Still, this technique is a viable anti-spam measure if you can capture malware and install it; however, one would need to understand that it is but one tool in the antispam arsenal,” he writes. “It would have to be supplemented with other techniques like IP reputation and sender reputation.”