Rustock Botnet and ASNs
12 Pages Posted: 5 Jan 2012
Date Written: September 24, 2011
Abstract
When Microsoft and associates took down the Rustock botnet in March 2011, which organizations were affected? Were they the same ones that were affected during the Rustock spam slowdown of December 2010? Maybe they didn’t improve their information security (infosec) during those three months. This paper analyses this episode as an example of some types of drilldown using data underlying the frequent, regular, comprehensive organizational rankings by outbound spam volume, SpamRankings.net. Such rankings can provide reputational and economic incentives for the ranked organizations to improve their security, which has many policy implications. Just as a sneeze indicates disease, outbound spam indicates poor infosec.
Organizations don’t want poor infosec to affect their reputation, so they don’t divulge that information. Fortunately, anti-spam blocklists collect outbound spam data for every organization on the Internet. Outbound spam indicates botnets, botnets indicate vulnerabilities, and vulnerabilities indicate susceptibility to other malware, including phishing, DDoS, and other malware. So we can compare outbound spam and botnets across organizations, and use them as a proxy for poor infosec. A proxy not just ISPs: for any Email Service Provider (ESP), organization that sends email. Nobody wants to do business with a bank, hospital, or university with poor infosec.
We collect data daily from multiple anti-spam blocklists, and collate with netblocks and Autonomous System Numbers (ASNs) using tables from Team Cymru. The tables and graphs here derive from the CBL blocklist, including custom spam volume (message count per spamming IP address) and botnet assignments per address.
We selected two similar incidents for the same botnet (Rustock) a few months apart. We searched for ASNs with the most spam coming from that botnet. We compared those ASNs spamming between the incidents, and further compared the botnets for certain of those ASNs, as well as another ASN. This Rustock case study is novel in examining ASNs affected by a particular botnet, and botnets infesting particular ASNs, both at specific times, and over a longer timeframe, showing what happens when a botnet slows down or is taken down.
Also novel are the ongoing Internet-wide comparisons publicly visible in the frequent, regular, and comprehensive rankings of SpamRankings.net. The project’s model combining peer influence and commons theory for economic governance of the Internet indicates that such rankings motivate ESPs to improve their infosec in order to improve their reputation; and can also help them improve by benchmarking their output with similar ESPs. We are using incremental rollout of SpamRankings.net in natural field experiments on the Internet to determine the effectiveness of the rankings.
Policy implications of such rankings and drilldowns include: improving Internet security without additional laws or governmental policies; determining which national policies have the most effect; determining the effectiveness of specific infosec against specific botnets or vulnerabilities; incentives to integrate disparate infosec information; improved national competitiveness through less vulnerability to cybercrime and industrial espionage; and improved national security through less vulnerability to cyberwarfare.
Suggested Citation: Suggested Citation