It has been said that universities all around the world are harboring zombie machines in droves. These are the same zombie machines responsible for sending out massive amounts of spam. In this article, we attempt to understand if the university zombie-spam problem really is as big a deal as it is made out to be.
Most universities spend large sums of money buying IDS, IPS and Spam Filter technology and their various licenses. This should, at least in theory, allow universities to cut down on the number of such zombie machines by identifying tell tale signs of malicious communication and by analyzing their network traffic.
Experiment Goal
To understand if universities are harboring zombie machines, which can be used for spam campaigns.
Methodology
We have collected a list of 2070 universities. Each university’s DNS was queried to determine the IP address being used to host each website. This IP address was cross-referenced with data from Route Views to identify the AS number hosting that IP (using data from CAIDA). The AS number was then used to mine IP ranges advertised as BGP updates. Once the CIDR IP ranges were been found, the IPs in the CIDR range were checked with Spamhaus’s Zombie Blacklist. The experiment was conducted between March 12th and March 16th, 2010.
Our Observations
- Number of unique universities: 2070
- Number of Unique ASes observed: 829
- Total number of probed: 434,083 IPs
- Size of zombie blacklist: 2,130,944 IPs
Highlights
We present some interesting observations on the data analyzed.
- Only AS174, Cogent Communications, Inc., was found to contain zombies (see list below).
- Only 0.67% of educational institutions are associated with spam-zombie IP addresses.
- Only 0.12% of ASes seem contain spam-zombieĀ IP addresses.
Frequency distribution of the number of IPs tested.
Conclusion
It seems that Universities are unfairly maligned by reports of zombies in their networks. Based on the findings of this preliminary set of experiments, having not found spam-zombie machines in large numbers in residence on university sub-nets, it seems that universities are doing a pretty good job of combating spam-zombies and keeping the Internet safe.
Till next time.
Read more…
News, Report
spam, universities, zombie
Zombie IPs can be defined as Internet Addresses which participate in bot net communications. When Internet surfers visit websites contaminated with malware, the malicious code often times is successful in infecting the computer of the unsuspecting visitor. Once the malware has installed itself on the personal computer of the Internet surfer, it proceeds to receive commands from a “controller.” This controller machine in many cases a chat group (IRC) or a more sophisticated system.
At StopTheHacker.com, we have tried to investigate whether there is a correlation between zombie IP addresses (botnet communication sources) and blacklisted websites. If there is a strong correlation, then it points to a disturbing trend that servers used to host websites, are infected at two levels. The websites themselves are infected and there is some kind of botnet malware hosted on those servers as well.
The Gumblar variety of infections have targeted web sites by installing malicious binaries on end-user clients and then sniffing through for FTP credentials to inject sites with malicious code. This experiment provides a preliminary look into whether these kinds of malware are just targeting sites and are also creating botnets using the infected machines.
Experiment Setup
We have examined 178 CIDR IP address ranges obtained from SpamHaus. The entire IP address space covered 1,508,096 IP addresses. Out of these, a random sample of 1,600 IP addresses were chosen. Subsequently, we made attempts to determine the websites hosted on each IP address and check them with the Google Safebrowsing list. The experiment was conducted on January 11, 2010.
Experiment Summary
Results in brief:
- The majority of zombie IPs do not seem to host any blacklisted websites.
- Only 0.5% IPs seemed to host a website, none of which were present in the Google blacklist.
This is an indicator that zombie IPs do not usually host blacklisted websites. It seems that malware installs itself stealthily on end-clients and sniffs for ftp credentials, and does not really try to join the host machine with the botnet. This could be due to a concern that creating/joining a botnet increases the chances of the malware being detected on the host. However, given the robust and increasingly related cycle of cyber-crime that proliferates the Internet, this trend may change soon. We will be keeping a close eye on this trend, and expect to publish more results as a follow up to this initial experiment.
Read more…
News, Report, Security
blacklisting, IP, sites, zombie
