Rustock Botnet and ASNs

12 Pages Posted: 5 Jan 2012

See all articles by John S. Quarterman

John S. Quarterman

Quarterman Creations

Serpil Sayin

affiliation not provided to SSRN

Andrew B. Whinston

University of Texas at Austin - Department of Information, Risk and Operations Management

Date Written: September 24, 2011

Abstract

When Microsoft and associates took down the Rustock botnet in March 2011, which organizations were affected? Were they the same ones that were affected during the Rustock spam slowdown of December 2010? Maybe they didn’t improve their information security (infosec) during those three months. This paper analyses this episode as an example of some types of drilldown using data underlying the frequent, regular, comprehensive organizational rankings by outbound spam volume, SpamRankings.net. Such rankings can provide reputational and economic incentives for the ranked organizations to improve their security, which has many policy implications. Just as a sneeze indicates disease, outbound spam indicates poor infosec.

Organizations don’t want poor infosec to affect their reputation, so they don’t divulge that information. Fortunately, anti-spam blocklists collect outbound spam data for every organization on the Internet. Outbound spam indicates botnets, botnets indicate vulnerabilities, and vulnerabilities indicate susceptibility to other malware, including phishing, DDoS, and other malware. So we can compare outbound spam and botnets across organizations, and use them as a proxy for poor infosec. A proxy not just ISPs: for any Email Service Provider (ESP), organization that sends email. Nobody wants to do business with a bank, hospital, or university with poor infosec.

We collect data daily from multiple anti-spam blocklists, and collate with netblocks and Autonomous System Numbers (ASNs) using tables from Team Cymru. The tables and graphs here derive from the CBL blocklist, including custom spam volume (message count per spamming IP address) and botnet assignments per address.

We selected two similar incidents for the same botnet (Rustock) a few months apart. We searched for ASNs with the most spam coming from that botnet. We compared those ASNs spamming between the incidents, and further compared the botnets for certain of those ASNs, as well as another ASN. This Rustock case study is novel in examining ASNs affected by a particular botnet, and botnets infesting particular ASNs, both at specific times, and over a longer timeframe, showing what happens when a botnet slows down or is taken down.

Also novel are the ongoing Internet-wide comparisons publicly visible in the frequent, regular, and comprehensive rankings of SpamRankings.net. The project’s model combining peer influence and commons theory for economic governance of the Internet indicates that such rankings motivate ESPs to improve their infosec in order to improve their reputation; and can also help them improve by benchmarking their output with similar ESPs. We are using incremental rollout of SpamRankings.net in natural field experiments on the Internet to determine the effectiveness of the rankings.

Policy implications of such rankings and drilldowns include: improving Internet security without additional laws or governmental policies; determining which national policies have the most effect; determining the effectiveness of specific infosec against specific botnets or vulnerabilities; incentives to integrate disparate infosec information; improved national competitiveness through less vulnerability to cybercrime and industrial espionage; and improved national security through less vulnerability to cyberwarfare.

Suggested Citation

Quarterman, John S. and Sayin, Serpil and Whinston, Andrew B., Rustock Botnet and ASNs (September 24, 2011). TPRC 2011, Available at SSRN: https://ssrn.com/abstract=1979856

John S. Quarterman (Contact Author)

Quarterman Creations ( email )

3338 Country Club Road #L336
Valdosta, GA 31605
United States
512-563-5647 (Phone)

HOME PAGE: http://www.quarterman.com

Serpil Sayin

affiliation not provided to SSRN ( email )

Andrew B. Whinston

University of Texas at Austin - Department of Information, Risk and Operations Management ( email )

CBA 5.202
Austin, TX 78712
United States
512-471-8879 (Phone)

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
106
Abstract Views
1,260
Rank
507,429
PlumX Metrics