Lecture 21: Economics of Security

In order to think about how to protect a system, it helps to know what the
incentives for breaking it are.

Economics of Security
  - Adversarial motivation---in the case of spam, it's money
  - Attacks are economic---without getting money, people wouldn't try to
    maximize the effectiveness of their techniques
  - Cost of damage---if it's unlikely to get attacked and recovering from
    attacks is inexpensive, maybe it's not worth pursuing a research
    agenda and instead just take out insurance
    
Case study: spamalytics---measuring the value of spam to a spammer
  - authors infiltrated the storm botnet to use it for sending spam
  - ran multiple websites that they measured traffic to
  - performed analysis to study marginal cost of sending a spam

Ethics
  - On one hand they took advantage of security holes in end-user machines and
    in the botnet
  - On the other hand, they didn't make it worse for users, and got to learn
    about why and how spams work

Storm botnet---BIG distributed system
  - ~80k compromised machines
  - estimates for botnets is low-10k on low end and high-100k on high end
  - Structure:
     - Master machines---hosted on servers by spammers, usually in country/isp
       that doesn't mind what you're doing.  If these countries crack down,
       the master machines will eventually be decentralized as well.
     - Proxy machines---can accept connections from the outside world
     - Worker machines---can't accept connections, but can connect to SMTP
  - Worker + Proxy are compromised machines that make up a DHT.
  - Proxy serves as load-balancer for the master, to reduce bandwidth on it.
  - Workers become proxies if they are reachable from the outside world so 
    masters can give them commands

How they got machines to join the system
  - seed an initial number of machines by sending executables hidden in
    emails with card readers, etc.
  - the first infected machines start sending more spams, which infect more
    machines
  - estimated you can get 8k machines/day this way.

DHT
  - Software called Overnet, using Kademlia protocol (similar to Chord)
  - The key is the hour of a day (actually the hour and a random number up to
    32 hashed together).
  - The value is the IP address + port # of a proxy, which decided to
    advertise itself for that hour

Command + Control Architecture
  - When worker wants to do work, it looks up the time in the DHT, gets a proxy,
    and asks the proxy for a workload of spam to send
  - Proxy gets a job for the worker by way of the master
    - a job includes
      - spam template---the contents of the spam
      - dictionary---words to include in the message to avoid spam filters
      - email list---list of addresses to send spams to

How the botnet was infiltrated
  - ran machines that inserted themselves as proxies into the botnet
  - received jobs from masters, and sent different responses to workers to
    redirect spam to point to their own site (changed URLs in spam templates)
  - for each url they add, they attach a unique ID so they know which visits
    were due to some email that was sent.
  - append a bunch of commercial email addresses to email lists to see how 
    spam filters at commercial services work
  - append SMTP servers to proxy email list to see how many emails are sent by 
    the bots
  - strip off their added email addresses from when workers confirm successful
    emails to master doesn't find out
  - blacklist IP addresses if they:
    - lack an ID that was sent by email
    - asks for a robots.txt (crawlers)
    - has javascript disabled (this is probably another researcher)
    - repeat visit IPs (probably researchers)
    - have various user agents in browsers (again probably researchers)

Spammers could have signed message from master, but it wasn't worth it.  Maybe
  after reading this paper, they will.
  
Set up two sites to direct spam to
  - postcard website that is self-propagating---they want to see how many
    of the postcards are forwarded
      - attach a rogue binary on the site that sends a post back to researchers
        so that when the link is forwarded around, the researchers know how
        many new machines are compromisable/compromised
  - pharmacy website
      - has a shopping card, e-commerce style
      - measure of success: how many people try to check out
      - doesn't actually charge on a checkout

Results
  - Of 350 million emails -> 82 million passed mailserver -> 10k resulted in
    links clicked -> 28 successfully led to pharmacy purchase.
  - That's a really low conversion, suggesting the spammer should be running 
    the pharmacy site in order to turn a profit.
  - Estimated revenue from pharmacy campaign to be $10k.  Cost to send
    those spams for pharmacy website is around $25k.  So what went wrong?
    There _IS_ spam, so _SOMEONE_ must be making money

Speculation on how to make it affordable
  - maybe spammers run the pharmacy as well
  - small group of developers
  - alternate revenue streams: selling credit card #'s, etc.

Benefits of spamming from workers instead of a centralized location
  - harder to blacklist machines if each one sends less, as email starts looking
    normal
  - costs too much to send the stuff from a centralized location.

Other uses of botnets (other sources of revenue)
  - DDos attacks for ransom
  - Harvesting credit cards by keyloggers
  - Scraping information from webpages