Samir Patil Symantec
There has been a significant increase in the volume of Blackhole spam over the last few months. We see Blackhole spam allegedly coming from major brands, institutions, and using sophisticated techniques to evade anti-spam filters.
The Blackhole spam is the seeding point of the attack. Email filters are the first line of defence before IDS, IPS and AV solutions come into the picture. Purging Blackhole spam right at the source strengthens multi-level protection. Since the attack uses non-traditional methods to evade detection, the solution needs to be equally innovative to counter the attack.
This paper describes a unique approach to detecting Blackhole spam. The paper discusses intrinsic differences between the structure and techniques used in Blackhole spam versus conventional spam, and also discusses key challenges in detecting and mitigating it.
Our unique approach in identifying malicious URLs in Blackhole spam involves a multi-stage static and dynamic analysis of emails with the help of backend systems that profile URL patterns, templates and applies heuristics to incoming messages. The paper concludes by showing the effectiveness of our innovation against Blackhole spam attacks; many of them potentially zero-day.
VB2013 takes place 2-4 October 2013 in Berlin, Germany.
The full programme for VB2013, including abstracts for each paper, can be viewed here.