The story of the botnets behind malicious spam campaigns

Dennis Tan , Director of Threat Research , Symantec

Email has become the most frequently used delivery mechanism for malware nowadays. According to research we conducted across different threat vectors, no other distribution channel even comes close: not exploit kits, not malvertising. A user is many more times as likely to encounter malicious code through email than other channels.

The malicious spam is never an isolated threat. Our further research suggested that the primary method that malicious email is distributed is by way of spambots, which often take the form of a module within a larger botnet. Typically a botnet is designed and implemented in a mode of multiple modules or plug-ins, which allows hackers to carry on various malicious activities. Conducting spam attacks is usually one of the most important features of a botnet.

In this paper, we will be dissecting some active botnets that are responsible for massive malicious spam campaigns, such as Necurs, Fioesrat, Ssebot, Emotet etc. We will be reviewing the whole threat life cycle as well as looking into the details of spamming mechanism, infrastructure and strategy, and finally come to the conclusions of the best ways to defend such attacks.

The paper will be focused on the following aspects:

1.Demonstrating the end-to-end threat life cycle of malicious spam campaigns. We will be correlating the spams, payloads delivered, and the botnets underneath;

2.Analyzing the different types and architectures of the botnets used in spam campaigns;

3.A deep dive into spambot module in the botnets. We will be looking into the details about the module persistence, interaction between module and the main bot, Command and Control communication and protocols, email metadata generating algorithms and so on;

4.Dissecting the operation patterns and strategies of malicious spam campaigns conducted by hackers;

5.Building up honeypots to proactively harvest spam metadata from botnets. We will be elaborating the methodologies that could be used for building a honeypot or harvester;

6.Best practice to defend malicious spam campaigns, from a full threat life cycle point of view.

Dennis Tan

Dennis Tan is Director of Research in Symantec Security Technology and Response group, based in Singapore. He is leading a team of researchers specialized in investigating and responding to sophisticated cyber threats. Prior to Symantec, he worked for Fortinet, Websense and Tencent.