[Discussion] The approach to detect proxybots

Sat May 30 17:45:21 UTC 2009

This is an intersting approach.  I don't know how probablistic the delays will be however.  Most isp's will deliberately slow mail connects in the network to act as a sort of tarpit for spam farming.  I know we do at least and have talked with others about it as well. This may be in transit or at the actual mail server.  

Additionally, with spammers, they are clever little SOBs.  Once you have this detection working, they will change the botnet code to react differently to avoid detection.

Nonetheless, one could increase the probability of detection with a significantly higher sampling...whether using information from other sensors in one network or from other sensors in other networks.  A network of OISF sensors independently distributed across the internet would be useful for these types of detections and other like it via some sort of feedback system.  

I still think it would be worth investigating as one of many ways to detect these botnets.  If you have some code to test I'll put it on our ISP network to see how well it works.

-----Original Message-----
From: Gurvinder Singh <gurvinde at stud.ntnu.no>
Sent: Friday, May 29, 2009 11:19 PM
To: discussion at openinfosecfoundation.org
Subject: [Discussion] The approach to detect proxybots

Hi,

First of all thanks to matt for introducing me to the open information 
security foundation. I was in touch with matt and he suggested me to put 
the concept in discussion list to get feedback on it from team. If 
possible we can implement  this concept to a preprocessor of the new 
engine (read message from matt below).

The approach is based on Interarrival Packet Time (IPT). The IPT is the 
difference between current packet arrival time and the last packet 
arrival time from the sender under current session. The IPT is recorded 
from incoming packets at the receiving end. Consider the following scenario
                    (200ms)                                 (50ms)
Spammer   ------------>      Proxybot         ------------->       Mail 
server

The spammer starts a session by sending a command to a bot. The bot 
initiates a connection with the mail server and establishes a 
connection. The mail server responds with greeting message and the bot 
relays this message to the spammer. After receiving the greeting 
message, the spammer sends HELO message to the bot and bot will relay 
message to the server. The server will receive message after delay of 
250ms or higher which is the total delay on connection between mail 
server and spammer. If the bot system is the real originator of message 
request, then the HELO message will be received in 50ms by mail server. 
This delay is seen on each command (MAIL FROM, RCPT TO and DATA etc.) 
received from bot at server end.

There is a probability that the delay can be due to congestion on the 
network. But in above case server will receive an ACK message from bot 
system after 50ms which signifies the lack of congestion on the network.

I tested the approach for different protocols and find it working on 
FTP, HTTP GET request (Tor), Telnet and simple data transfer using TCP. 
I will be happy to answer any question regarding above approach and 
looking forward to hear from you about feedback on the concept. The 
above concept is result of my master thesis work. If possible, I would 
like to join the team.

P.S. The code can be released under GPL.

Thanks for your time.

Best Regards,
Gurvinder Singh

>
> Matt Jonkman wrote:
>> Forgot to mention that this code will all be GPL. :)
>>
>> matt
>>
>> Matt Jonkman wrote:
>>  
>>> Hello Gurvinder! Your timing couldn't be better.
>>>
>>> I'm fascinated by the concept, that would help in a lot of things we 
>>> are
>>> currently challenged in with IDS.
>>>
>>> The timing is perfect because we've received US Dept of homeland
>>> security funding to build a new next generation IDS. We're about to get
>>> the bulk of our funding and begin development work.
>>>
>>> I'd like to talk to you about applying this concept to a 
>>> preprocessor of
>>> the new engine. If you're interested I'd like to introduce you to the
>>> rest of the team. We're having our final planning and hiring meeting
>>> late next week. So this couldn't be more perfect.
>>>
>>> More information about us at http://www.openinfosecfoundation.org
>>>
>>> If you hop on the discussion mailing list we could bring the idea up 
>>> and
>>> see what the community thinks about it as well.
>>>
>>> Thanks for contacting me!
>>>
>>> Matt
>>>
>>> Gurvinder Singh wrote:
>>>    
>>>> Dear Matt Jonkmans,
>>>>
>>>> I am Gurvinder Singh, master student at Department of Telematics, 
>>>> NTNU,
>>>> Trondheim, Norway. Currently i am working on my master thesis on topic
>>>> tittled "Detection of Intermediary Hosts through TCP latency
>>>> propagation". I performed experiments for different protocols and 
>>>> find a
>>>> method to detect the intermediary hosts. After reading your article i
>>>> realize that my approach can be used to detect the spam coming from a
>>>> proxy system which is actually sent by some other system behind it. In
>>>> the scenario like this
>>>>
>>>> Spammer ---->          ProxyBot  ------>      Mail Server or Relay
>>>>
>>>> at Mail server or relay we can detect the message is relayed via proxy
>>>> bot and thus server can drop the message and if the behavior is
>>>> persistent the IP address of Proxybot can be added to blacklists. I 
>>>> was
>>>> wondering if you have some live traces of communication during arrival
>>>> of spam messages at mail server from proxybot, then i can have real
>>>> world data not just data from my lab. If yes, can it be possible to
>>>> share with me? I would appreciate any comment from you in this regard.
>>>>
>>>> Thanks for your valuable time.
>>>>
>>>> Best Regards,
>>>> Gurvinder Singh
>>>>       
>>
>>   
>
>

_______________________________________________
Discussion mailing list
Discussion at openinfosecfoundation.org
http://lists.openinfosecfoundation.org/mailman/listinfo/discussion