Peering into spam botnets

Friday 6 October 14:00 - 14:30, Small talks

Maciej Kotowicz (CERT Poland)
Jarosław Jedynak (CERT Poland)



Someone recently said that the exploit kit landscape is dying - but this certainly is not the case for the spamming industry, which for last year was probably the biggest source of infections worldwide.

Despite spam botnets being so important in the lifecycle of malware, recent publications (which can be counted on the fingers of one hand) describing massive spam operations have either skipped over the technical details or else concentrated too much on high-level aspects for our liking.

In this paper, we will describe a few of the most prominent spam botnets out there: Necurs, Send Safe, Kelihos, Tofsee and Cutwail.

Our main goal is to describe the technical details of the network protocols used by these botnets to communicate with peers and C&Cs. We will show how to dissect and reimplement basic communication (including, but not limited to, receiving new spam, downloading malicious attachments and detecting updates to the core spam bot or its sub modules).

We will also present the results of our monitoring, including how and what is being spammed, and by which botnet. We will conclude with some funny quirks that one can find while looking closely at spamming operations.

Since these botnets aren't new, there is some information about them in circulation. Unfortunately this knowledge is often fragmented, or hidden within companies. With our talk we hope to share our insights, and allow everyone to track and destroy spam on their own.

 (Note: this is a reserve paper for VB2017. Unless needed to replace another paper on the main programme, it will be presented in the Small Talks room at 09:00 on Friday 6 October. Programme changes will be announced at the event and displayed on the VB2017 programme page.) 

 

Maciej-Kotowicz-web.jpg

Maciej Kotowicz

Maciej Kotowicz is Principal Botnet Pwner at CERT.pl with a special interest in reverse engineering and exploit development as well as automation of both. In his free time he likes to drink beer and play CTFs, in no particular order.

 

 

Jaroslaw-Jedynak-web.jpg

Jarosław Jedynak

Jarosław Jedynak is a malware analyst and security engineer at CERT.pl. His research interests focus on malware, especially P2P botnets. Additionally, he is actively tracking new malicious campaigns in order to disrupt criminal activity. In his free time, he is a passionate CTF player, and co-founder of p4 team.


   Read paper

VB2018 MONTREAL!

VB2017 OVERVIEW

VB2017 SPEAKERS

VB2017 PROGRAMME

2017 PÉTER SZŐR AWARD


Other VB2017 papers

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.