how to catch a hidden spammer
DESCRIPTION
Find out out how easily detect and stop a hidden spammer. These methods will protect you and your company from spam and will keep you from getting flagged as a spammer.TRANSCRIPT
![Page 1: How To Catch A Hidden Spammer](https://reader036.vdocument.in/reader036/viewer/2022081803/5555e94ed8b42a8a5f8b47ca/html5/thumbnails/1.jpg)
HOW TO FIND ABy Andrew BrandtSolera Networks
HIDDEN SPAMMER
![Page 2: How To Catch A Hidden Spammer](https://reader036.vdocument.in/reader036/viewer/2022081803/5555e94ed8b42a8a5f8b47ca/html5/thumbnails/2.jpg)
HOW IT STARTSThe typical spam campaign starts with a social engineering hook, which attempts to convince the reader to click a link in the message body.
![Page 3: How To Catch A Hidden Spammer](https://reader036.vdocument.in/reader036/viewer/2022081803/5555e94ed8b42a8a5f8b47ca/html5/thumbnails/3.jpg)
SAY HELLO TO MALWAREThese links can lead to pages hosting malware .EXE files inside of .ZIP folders.They can also use browser exploits to force and install on the victims computer.
![Page 4: How To Catch A Hidden Spammer](https://reader036.vdocument.in/reader036/viewer/2022081803/5555e94ed8b42a8a5f8b47ca/html5/thumbnails/4.jpg)
THESE ARE STEPPING STONESThese specialized Trojans retrieve instructions from a command-and-control server that include the body of the spam message, and a list of mail servers and victim email addresses to which the Trojan sends the messages.
![Page 5: How To Catch A Hidden Spammer](https://reader036.vdocument.in/reader036/viewer/2022081803/5555e94ed8b42a8a5f8b47ca/html5/thumbnails/5.jpg)
HOW THEY WORKThese Trojans retrieve instructions from a server that include the body of the spam message, and a list of mail servers and victim email addresses to which the Trojan sends the messages.
![Page 6: How To Catch A Hidden Spammer](https://reader036.vdocument.in/reader036/viewer/2022081803/5555e94ed8b42a8a5f8b47ca/html5/thumbnails/6.jpg)
THE GOOD NEWS / THE BAD NEWS
Thousands more people could end up receiving malicious messages — which might result in your own network ending up on a spam blacklist
Easy to identify and segregate the offending machines.
GOOD NEWS
BAD NEWS
![Page 7: How To Catch A Hidden Spammer](https://reader036.vdocument.in/reader036/viewer/2022081803/5555e94ed8b42a8a5f8b47ca/html5/thumbnails/7.jpg)
USING THE RIGHT TOOLS
Using Solera's DeepSee, it detected that in just 20 seconds the Trojan dispatched 181 identical messages.
![Page 8: How To Catch A Hidden Spammer](https://reader036.vdocument.in/reader036/viewer/2022081803/5555e94ed8b42a8a5f8b47ca/html5/thumbnails/8.jpg)
USING DEEPSEEUsing DeepSee, you can take note of the IP address(es) of your usual mail servers, then create a Favorite with queries.
That will bring to the fore all non-mailservers that are sending email using the SMTP protocol.
ipv4_address!=your_mail_server application_id=SMTP
![Page 9: How To Catch A Hidden Spammer](https://reader036.vdocument.in/reader036/viewer/2022081803/5555e94ed8b42a8a5f8b47ca/html5/thumbnails/9.jpg)
SETTING UP ALERTSOnce you’ve created that Favorite, you can set up alerts to watch for traffic matching the rule. Typical malicious behavior might involve a large volume of mail being sent by machines meeting these criteria in a short period of time. The most obvious standouts will be sending messages at odd hours, such as when nobody should be at work (holidays/weekends).
![Page 10: How To Catch A Hidden Spammer](https://reader036.vdocument.in/reader036/viewer/2022081803/5555e94ed8b42a8a5f8b47ca/html5/thumbnails/10.jpg)
CATCHING THE SLOWER ONESLook at the traffic generated by a much more low-key spam relay Trojan. The Trojan responsible sent these Canadian pharmacy, knockoff watch, and “dating site” spams, transmitted at a much slower rate of about two messages per minute. While the volume may keep the messages under the radar, you might consider setting up alerts looking for the subject matter of the messages.
![Page 11: How To Catch A Hidden Spammer](https://reader036.vdocument.in/reader036/viewer/2022081803/5555e94ed8b42a8a5f8b47ca/html5/thumbnails/11.jpg)
CATCHING THE SLOWER ONES
Detect and extract the command-and-control traffic between the infected host and its botnet HQ. Spam relay Trojans must receive instructions, or they can’t do their job. Check out this extraction of traffic generated by just such a Trojan.
![Page 12: How To Catch A Hidden Spammer](https://reader036.vdocument.in/reader036/viewer/2022081803/5555e94ed8b42a8a5f8b47ca/html5/thumbnails/12.jpg)
CATCHING THE SLOWER ONES
The CnC traffic is made even more obvious by its inclusion of a second, extraneous port number"
(Hint: Search for http_uri~:8080:80 in the Path Bar.)
![Page 13: How To Catch A Hidden Spammer](https://reader036.vdocument.in/reader036/viewer/2022081803/5555e94ed8b42a8a5f8b47ca/html5/thumbnails/13.jpg)
MORE DISCOVERIES
Once you find the CnC traffic, extraction can lead to more discoveries, but in this case, the traffic seems to be unreadable.
![Page 14: How To Catch A Hidden Spammer](https://reader036.vdocument.in/reader036/viewer/2022081803/5555e94ed8b42a8a5f8b47ca/html5/thumbnails/14.jpg)
IS IT REALLY UNREADABLE?
Well, unreadable but not indecipherable. A little bit-shifting of the binary data in this artifact reveals the true contents of the CnC message. The first set of CnC exchanges usually include all the instructions the bot needs, such as…
![Page 15: How To Catch A Hidden Spammer](https://reader036.vdocument.in/reader036/viewer/2022081803/5555e94ed8b42a8a5f8b47ca/html5/thumbnails/15.jpg)
HOW TO DECODE
…the message body of the spam it will send…
![Page 16: How To Catch A Hidden Spammer](https://reader036.vdocument.in/reader036/viewer/2022081803/5555e94ed8b42a8a5f8b47ca/html5/thumbnails/16.jpg)
HOW TO DECODE
…the link to the site hosting the malicious code, which will be embedded in the message…
![Page 17: How To Catch A Hidden Spammer](https://reader036.vdocument.in/reader036/viewer/2022081803/5555e94ed8b42a8a5f8b47ca/html5/thumbnails/17.jpg)
HOW TO DECODE
…and, to my utterly astonished amusement, a list of CnC server IP addresses the botmaster will use to
control the Trojan.
![Page 18: How To Catch A Hidden Spammer](https://reader036.vdocument.in/reader036/viewer/2022081803/5555e94ed8b42a8a5f8b47ca/html5/thumbnails/18.jpg)
THE LAST EXERCISEThis last one really makes the whole exercise worthwhile:The bot itself downloads these IPs every time it checks in with the CnC server. In essence, it’s keeping us updated with a list of who the bot can talk to.
![Page 19: How To Catch A Hidden Spammer](https://reader036.vdocument.in/reader036/viewer/2022081803/5555e94ed8b42a8a5f8b47ca/html5/thumbnails/19.jpg)
Read the full article here