37
Trac
king
A Z
ombi
e A
rmy
(200
5 U
pdat
e)
Jam
es L
ick
Cha
ir A
PC
AU
CE
jlick
@ja
mes
lick.
com
Evo
lutio
n of
Spa
mm
ing
•R
egul
ar m
ail s
erve
r on
a T1
line
•Th
row
-aw
ay d
ialu
p/br
oadb
and
acco
unts
•O
pen
rela
ys•
Ope
n pr
oxie
s•
Hac
ked
serv
ers
•A
sym
met
ric ro
utin
g ov
er d
ialu
p•
Zom
bie
Arm
ies
Evo
lutio
n of
Mal
war
e•
For f
un: s
eein
g w
hat i
s po
ssib
le•
Pra
nk fo
r rec
ogni
tion
–G
et y
our t
roja
n/vi
rus/
wor
m in
the
new
spap
er–
DD
OS
a c
ompa
ny a
nd s
ee it
on
TV•
Pro
fit–
Sel
l ano
nym
ous
acce
ss to
spa
mm
ers
–D
DO
S fo
r ext
ortio
n–
Key
log/
phis
hing
for i
dent
ity th
eft t
o st
eal m
oney
–C
lickb
ots
to g
ener
ate
fake
adv
ertis
ing
reve
nue
–U
se to
dis
tribu
te m
ore
mal
war
e–
Sel
l mal
war
ere
mov
al p
rodu
cts
to v
ictim
s
Wha
t Are
Zom
bies
?•
Var
ious
type
of m
alw
are
inst
all p
rogr
ams
to u
se
your
mac
hine
–al
so k
now
n as
bot
s–
Rem
ote
Adm
in T
ools
–A
nony
mou
s P
roxi
es (p
assw
ord
prot
ecte
d)–
Key
logg
ers
–C
lickb
ots
–W
eb s
erve
rs–
Viru
s an
d sp
am e
mai
l dis
tribu
tion
engi
nes
–A
nony
mou
s IR
C s
erve
rs•
Usu
ally
con
trolle
d vi
a an
onym
ous
IRC
ser
vers
or
p2p
met
hods
Wha
t is
a Zo
mbi
e A
rmy?
•A
col
lect
ion
of s
ever
al Z
ombi
e P
Cs
cont
rolle
d by
a s
ingl
e gr
oup
–al
so c
alle
d bo
tnet
s•
4-10
mill
ion
com
prom
ised
com
pute
rs o
n th
e ne
t act
ivel
y us
ed fo
r abu
se•
One
gro
up c
laim
ed to
con
trol 5
00k
host
s•
Mor
e an
d m
ore
ever
y da
y: 5
0-10
0k+
•U
sed
for s
pam
min
g si
nce
circ
a 20
03
Zom
bie
Arm
y A
rchi
tect
ure
Mas
ter
Con
trolle
r?20
6.81
.95.
113
206.
81.9
5.11
5
Oth
er
ZZ
ZZ
ZMX
MX
MX
MX
MX
dns.
shor
esid
e.c
om
MX Queries
MX Queries
Ope
n D
NS
Ope
n D
NS
Ope
n D
NS
A Queries
A Queries
A Queries
Who
con
trols
Zom
bie
Arm
ies?
•H
ard
to s
ay•
Bes
t ind
icat
ion
is E
aste
rn E
urop
ean
and
Rus
sian
gro
ups
asso
ciat
ed w
ith o
rgan
ized
cr
ime
•S
ome
prog
ram
min
g co
ntra
cted
to In
dian
an
d C
hine
se p
rogr
amm
ers
•Zo
mbi
es a
re u
sual
ly c
ompr
omis
ed b
y on
e gr
oup
and
reso
ld to
ano
ther
How
do
you
track
Zom
bie
usag
e?
•It’
s im
poss
ible
!!!•
No,
it’s
just
ver
y, v
ery
diffi
cult.
•Th
e ev
iden
ce is
ther
e if
you
have
–Lu
ck–
A S
earc
h W
arra
nt o
r Sub
poen
a–
Ple
nty
of re
sour
ces
•Lo
ts o
f oth
er c
rimes
are
ver
y di
fficu
lt to
so
lve
My
DN
S s
erve
r is
atta
cked
•M
y in
.nam
edpr
oces
s w
as e
atin
g C
PU
•M
y ba
ndw
idth
usa
ge w
as h
ighe
r tha
n no
rmal
•Lo
ts o
f DN
S qu
erie
s fro
m 2
06.8
1.95
.113
and
20
6.81
.95.
115
•A
ll qu
erie
s ar
e M
X q
uerie
s•
Oop
s! I
had
an “O
pen
DN
S S
erve
r”–
Rec
ursi
on w
as o
pen
to a
ll•
I was
ess
entia
lly b
eing
DN
S D
OS
’d
Unu
sual
am
ount
of i
ncom
ing
traffi
c
Em
ail d
eliv
ery
in a
nut
shel
l
•D
NS
MX
look
up fo
r dom
ain
•D
NS
A lo
okup
for M
X (o
ptio
nal)
•O
pen
SM
TP p
ort 2
5 co
nnec
tions
to M
X
syst
ems
until
one
ans
wer
s•
Sen
d S
MTP
com
man
ds•
Mai
l ser
ver a
ccep
ts m
essa
ge
Sec
urin
g th
e se
rver
•Tu
rn o
ff re
curs
ion
to o
utsi
de h
osts
:ac
lint
erna
l {19
2.16
8.16
8.0/
24;
66.9
2.18
2.24
0/28
;}; op
tions
{al
low
-rec
ursi
on {
inte
rnal
; };
};
•Fi
rew
all o
ut th
e at
tack
ers:
–bl
ock
in fr
om 2
06.8
1.80
.0/2
0 to
any
Wha
t jus
t hap
pene
d?
•W
hy a
ll th
ese
look
ups?
–A
ttack
ing
me?
–S
pam
min
g pe
ople
?–
Dis
tribu
ting
viru
ses?
•W
ho w
as a
ttack
ing?
–20
6.81
.80.
0/20
is A
ceTe
chU
SA•
Spa
mha
ussa
ys th
ey a
re m
ortg
age
spam
mer
s–
206.
81.9
5.0/
24 is
Cle
ar T
ech
Ser
vice
s•
How
can
I fin
d ou
t mor
e?
How
to fi
nd o
ut m
ore
•C
ould
I gi
ve b
ogus
resu
lts a
nd s
ee w
hat
happ
ens?
•H
ow c
an I
give
bog
us re
sults
to th
ese
clie
nts?
•C
ould
BIN
D 9
’s v
iew
feat
ure
help
me
lie?
•H
ow d
o I m
ake
this
all
wor
k?•
Wha
t will
hap
pen?
Con
figur
ing
BIN
D to
lie
•B
IND
9 h
as ‘v
iew
’fea
ture
•‘v
iew
’is
usua
lly u
sed
for ‘
Spl
it D
NS
’–
Hid
e in
tern
al h
osts
from
the
Inte
rnet
with
out
runn
ing
mul
tiple
ser
vers
•M
ake
an A
CL
of w
ho y
ou w
ant t
o lie
to:
acla
ttack
ers
{20
6.81
.80.
0/20
;};
Des
igni
ng th
e fa
ke v
iew
•M
ake
a ‘fa
ke’v
iew
firs
t in
the
file:
view
"fak
e" {
mat
ch-c
lient
s { a
ttack
ers;
};re
curs
ion
no;
zone
"." {
type
mas
ter;
file
"sta
tic/fa
ke.n
amed
.root
";}; zo
ne "c
om" {
type
mas
ter;
file
"sta
tic/fa
ke.n
amed
.com
";};
};
•W
ildca
rds
in ro
ot z
one
don’
t wor
k
Fake
zon
e ex
ampl
es
•A
dd in
a fa
ke ‘r
oot’
or ‘.
’zon
e:.
I
N
S
OA
d
ns.s
hore
side
.com
. jlic
k-dn
s.dr
ivel
.com
. (1
1800
900
259
200
3600
)IN
NS
dns.
shor
esid
e.co
mdn
s.sh
ores
ide.
com
IN
A
66.
92.1
82.2
48
•A
dd in
a fa
ke “c
om”z
one:
$OR
IGIN
.$T
TL 8
6400
com
I
N
S
OA
d
ns.s
hore
side
.com
. jlic
k-dn
s.dr
ivel
.com
. (11
180
0 90
0 25
9200
360
0 )
IN
N
S
dn
s.sh
ores
ide.
com
dns.
shor
esid
e.co
mIN
A
6
6.92
.182
.248
*.co
m
IN
M
X
10
smx1
.tcp.
com
Mak
e a
view
for r
egul
ar z
ones
•A
dd y
our r
egul
ar z
ones
in a
vie
w la
st, s
o it
will
be
the
fall-
thro
ugh
defa
ult:
view
"rea
l" {
mat
ch-c
lient
s { a
ny; }
;
zone
"." {
type
hin
t;fil
e "s
tatic
/nam
ed.ro
ot";
};… };
See
wha
t hap
pens
nex
t…
•W
ithin
sec
onds
, hun
dred
s of
sys
tem
s fro
m
all o
ver t
he w
orld
sta
rt ca
lling
•M
ost o
f the
m a
lread
y kn
own
zom
bies
on
the
CB
L lis
t•
send
mai
lon
that
sys
tem
mel
ts d
own
•E
very
thin
g is
bou
nced
, so
I don
’t kn
ow th
e co
nten
t of t
he m
ail
Col
lect
ing
mai
l atta
ck d
ata
•Lo
okin
g at
ava
ilabl
e ‘h
oney
pot’
softw
are
for c
olle
ctin
g m
ail s
essi
ons,
mos
t is
inef
ficie
nt a
nd fr
agile
•C
hris
Lew
is o
f Nor
tel h
as a
pat
ched
ve
rsio
n of
pos
tfix’
s sm
tp-s
ink
whi
ch o
ffers
m
ore
logg
ing
•S
mtp
-sin
k is
a v
ery
effic
ient
mul
ti-th
read
ed
C p
rogr
am, a
nd s
tood
up
to th
e ch
alle
nge
Spa
mha
usw
as ri
ght!
•Ty
pica
l spa
m s
ampl
e co
llect
ed:
–H
ELO
<m
y-ip
-add
ress
>–
“If y
ou a
re p
ayin
g m
ore
than
3.6
% o
n yo
ur
mor
tgag
e, w
e ca
n sl
ash
your
mon
thly
pa
ymen
t!”–
UR
L in
gog
etde
alz.
com
dom
ain
–N
ot C
AN
-SPA
M c
ompl
iant
•Fo
rged
hea
ders
, no
opt-o
ut, n
o m
ailin
g ad
dres
s,
etc.
Som
e m
ore
ques
tions
aris
e•
Who
was
doi
ng th
e D
NS
A q
uerie
s?–
Onl
y on
e or
two
DN
S A
que
ries
seen
for m
y M
X–
DN
S A
que
ries
com
ing
from
ano
ther
“Ope
n D
NS
”se
rver
–Zo
mbi
e co
ntro
llers
are
farm
ing
out a
ll lo
okup
s an
d pa
ssin
g in
fo o
n to
the
zom
bies
•W
ho is
Cle
ar T
ech
Ser
vice
s?–
Ser
vers
in S
poka
ne, W
A, U
SA
–C
ompa
ny in
Col
umbi
a, T
N, U
SA
–Tr
ied
cont
actin
g by
pho
ne, b
ut n
ot in
tere
sted
in
talk
ing
to m
e
Mor
e qu
estio
ns (c
ont)
•W
ho is
gog
etde
alz.
com
?–
On
addr
ess
219.
148.
62.2
26–
Loca
ted
in S
hijia
zhua
ng, H
ebei
, PR
C–
On
Chi
na T
elec
om n
etw
ork
–M
ultip
le S
pam
haus
SB
L lis
tings
•M
ale
anat
omy
pills
, Mor
tgag
e ‘b
ank’
, “#1
sou
rce
for r
elia
ble
bulle
t-pro
of s
ervi
ces”
–A
ll do
mai
ns li
nked
to n
s[12
3].3
3122
.biz
DN
S
serv
ers
Zom
bie
Arm
y A
rchi
tect
ure
Mas
ter
Con
trolle
r?20
6.81
.95.
113
206.
81.9
5.11
5
Oth
er
ZZ
ZZ
ZMX
MX
MX
MX
MX
dns.
shor
esid
e.c
om
MX Queries
MX Queries
Ope
n D
NS
Ope
n D
NS
Ope
n D
NS
A Queries
A Queries
A Queries
Idea
s fo
r spa
m h
oney
pots
•Tr
ack
DN
S lo
okup
s, n
ot ju
st S
MTP
•D
edic
ated
DN
S h
oney
pots
can
hand
out
to
keni
zed
MX
reco
rds
to tr
ack
subs
eque
nt
A re
cord
look
ups
•W
ith a
larg
e IP
allo
catio
n, D
NS
hon
eypo
tca
n th
en h
and
out d
iffer
ent A
reco
rds
to
track
sub
sequ
ent S
MTP
ses
sion
•B
ette
r tra
ckin
g of
how
infra
stru
ctur
e is
ab
used
Iden
tifyi
ng S
pam
•Id
entif
ying
spa
m b
y re
cipi
ents
is ro
ughl
y br
oken
into
thre
e cr
iteria
:–I
dent
ity–R
eput
atio
n–C
onte
nt
How
to m
ake
it ha
rder
to in
fect
sys
tem
s?•
Mos
t mal
war
eis
dis
tribu
ted
thro
ugh
emai
l•
Clie
nt S
MTP
por
t 25
is h
ard
to s
ecur
e•
Clie
nt S
MTP
-AU
TH p
ort 5
87 is
fairl
y m
atur
e an
d is
eas
ier t
o se
cure
•M
atur
ing
MTA
aut
h sc
hem
es w
ork
on d
omai
n le
vel
•U
sing
MTA
aut
h im
plie
s ta
king
resp
onsi
bilit
y fo
r re
sulti
ng a
buse
issu
es•
Let’s
use
thes
e ar
gum
ents
to in
crea
se s
ecur
ity
Put
ting
this
into
pra
ctic
e
•D
ecid
e w
ho y
ou a
re:
–S
ell/p
rovi
de/s
uppo
rt di
rect
end
-use
r acc
ess
(con
sum
er IS
P, e
nter
pris
e ne
twor
k m
anag
er,
etc.
): im
plem
ent t
he fo
llow
ing
advi
ce–
Do
not s
uppo
rt en
d-us
er a
cces
s, o
r pro
vide
bu
sine
ss/p
ower
-use
r acc
ess
(net
wor
k ba
ckbo
ne/tr
ansi
t, pr
emiu
m IS
P, d
ata
cent
er
man
ager
, etc
.): d
on’t
impl
emen
t thi
s, b
ut
enco
urag
e/re
quire
you
r cus
tom
ers
to
Con
trolli
ng E
mai
l Abu
se•
Ste
p 1:
Blo
ck p
ort 2
5 fro
m le
avin
g th
e en
d-us
er
netw
orks
–B
lock
in A
ND
out
, sou
rce
AN
D d
estin
atio
n to
pre
vent
as
ymm
etric
rout
ing
trick
s–
Vas
t maj
ority
of u
sers
don
’t ne
ed th
ird p
arty
mai
l se
rver
acc
ess
–Th
ose
that
nee
d it
have
man
y po
ssib
le s
olut
ions
: S
MTP
-AU
TH, V
PN
, ssh
tunn
elin
g –
Rec
ipie
nt m
ail s
erve
rs in
crea
sing
ly b
lock
clie
nt S
MTP
fro
m d
ynam
ic a
ddre
sses
–D
O N
OT
bloc
k M
SP (5
87 a
nd 4
66),
ssh,
VP
N, p
op2,
po
p3, s
slpo
p3, i
map
, or s
slim
appo
rts
Con
trolli
ng E
mai
l Abu
se
•S
tep
2: Im
plem
ent S
MTP
-AU
TH–
Sta
rt by
offe
ring
it an
d en
cour
agin
g us
e–
Afte
r a tr
ansi
tion,
requ
ire it
(blo
ck p
ort 2
5 fro
m
your
clie
nt s
yste
ms
to y
our m
ail s
erve
rs)
–S
MTP
-AU
TH m
akes
it e
asie
r to
iden
tify
affe
cted
acc
ount
than
IP a
ddre
sses
–W
ill no
t com
plet
ely
stop
zom
bies
; ass
ume
they
will
be
able
to h
ijack
cre
dent
ials
from
the
PC
or b
e ab
le to
bru
te-fo
rce
gues
s pa
ssw
ords
Con
trolli
ng E
mai
l Abu
se
•S
tep
3: B
lock
inte
rnal
hos
ts fr
om ta
lkin
g to
yo
ur in
com
ing
MX
es(e
xclu
ding
aut
horiz
ed
inte
rnal
mai
lhos
ts)
–S
tops
cur
rent
spa
m d
istri
butio
n m
etho
ds–
Sho
uld
have
min
imal
impa
ct–
Just
turn
ing
off r
elay
stil
l lea
ves
you
open
to
your
ow
n zo
mbi
es s
endi
ng to
you
r ow
n us
ers
–Yo
u ca
n ac
tual
ly d
o th
is e
arlie
r if y
ou w
ant
Con
trolli
ng E
mai
l Abu
se
•S
tep
4: Id
entif
y, C
onta
in, C
orre
ct
Pro
blem
s–
Impl
emen
t one
or m
ore
of fo
llow
ing
–E
stab
lish
per-
acco
unt v
olum
e lim
its w
ith
eith
er a
cut
off o
r ale
rt tri
gger
ed–
Trac
k m
essa
ge-id
s se
nt b
y ea
ch a
ccou
nt s
o th
at c
ompl
aint
s ca
n be
map
ped
back
to a
n ac
coun
t eas
ily
Con
trolli
ng E
mai
l Abu
se
•S
tep
4 (c
ontin
ued)
:–
Sen
d ou
tgoi
ng m
essa
ges
thro
ugh
spam
and
vi
rus
filte
rs•
Spa
m fi
lters
are
n’t c
ompl
etel
y re
liabl
e, s
o yo
u ca
n’t
bloc
k on
this
, but
larg
e am
ount
s of
spa
m th
roug
h an
acc
ount
sho
uld
trigg
er a
n in
vest
igat
ion
•V
irus
filte
rs a
re re
liabl
e, s
o th
ese
mes
sage
s M
US
T be
blo
cked
AN
D in
vest
igat
ed–
Req
uire
sub
scrib
ers
to u
se o
nly
thei
r au
thor
ized
add
ress
(es)
thro
ugh
your
ser
vers
(n
ot n
eces
sary
but
ver
y ef
fect
ive)
Yes
! Th
is is
har
d!
•B
ut it
mus
t be
done
–E
mai
l abu
se
exce
eds
90%
in p
lace
s an
d is
gro
win
g•
Pai
n w
ill d
imin
ish
over
tim
e•
‘Pro
mis
cuou
s’ne
twor
ks w
ill a
ttrac
t abu
se•
Not
doi
ng it
mak
es y
our r
eput
atio
n su
ffer
•Yo
u ar
e no
t onl
y th
e vi
ctim
, you
are
als
o th
e ab
user
–Ta
ke R
espo
nsib
ility
!
No!
It is
n’t p
erfe
ct!
•Im
plem
entin
g th
ese
mea
sure
s sh
ould
de
crea
se a
buse
by
at le
ast a
n or
der o
f m
agni
tude
•M
akes
it to
o ha
rd fo
r abu
se to
be
effe
ctiv
e•
Yes,
ther
e ar
e m
any
othe
r inf
ectio
n ve
ctor
s; T
hey
can
be a
ddre
ssed
se
para
tely
•D
on’t
igno
re th
e pr
etty
goo
d in
you
r sea
rch
for t
he p
erfe
ct
Con
clus
ions
•C
aref
ul m
onito
ring
of s
uspi
ciou
s D
NS
pa
ttern
s ca
n re
veal
abu
se•
Dis
info
rmat
ion
can
reve
al in
ner w
orki
ngs
•It
is p
ossi
ble
to tr
ack
thin
gs to
the
sour
ce•
Hon
eypo
tsca
n us
e th
is to
find
mor
e de
tail
•IS
Ps
can
stre
ngth
en s
ecur
ity a
nd p
olic
y en
forc
emen
t to
mak
e it
mor
e di
fficu
lt to
as
sem
ble
Zom
bie
Arm
ies
Than
k Y
ou!
Con
tact
me
at:
jlick@
jam
eslic
k.co
m
Mor
e de
tail
on c
ontro
lling
em
ail a
buse
: ht
tp://
ww
w.li
vejo
urna
l.com
/use
rs/jl
ick/
1024
3.ht
ml
