Method and apparatus for detecting zombie-generated spam

Information

  • Patent Application
  • 20080005316
  • Publication Number
    20080005316
  • Date Filed
    June 30, 2006
    18 years ago
  • Date Published
    January 03, 2008
    16 years ago
Abstract
Disclosed is a method and system for detecting a zombie attack in a network having a plurality of computers. The method and system include a network analysis module for determining, for each computer, a working set of email addresses associated with emails sent by each computer. A zombie attack is detected by determining at least one of: 1) at least one computer in the plurality is transmitting more than a threshold rate of emails, 2) that at least one of the computers is transmitting more than a first threshold number of emails to email addresses outside of its associated working set, 3) that a first threshold number of computers in the plurality are transmitting email messages to email addresses outside of their associated working set, and 4) that more than a second threshold number of computers are transmitting more than a second threshold number of emails to a recipient computer.
Description

BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 is a block diagram of a prior art network having four zombie computers;



FIG. 2 is a block diagram of a network having four zombie computers and a network analysis module in accordance with an embodiment of the present invention;



FIG. 3 is a flowchart of the steps performed by the network analysis module in accordance with an embodiment of the present invention; and



FIG. 4 shows a high level block diagram of a computer system which may be used in an embodiment of the invention.





DETAILED DESCRIPTION

Spam, or unsolicited junk email, is a problem experienced by many customers of an Internet Service Provider (ISP). Often, spam is sent from so-called “zombie” computers, which are personal computers that are under the control of another controlling computer. It is often extremely difficult for an ISP to detect when spam is being generated by a zombie computer.


As described above, a spammer typically uses a controller computer to execute a program called a daemon. The daemon executes in the background unknown to the user of the zombie computer and “steals” the computer's resources. A controller transmits this daemon to one or more zombie computers via an email attachment or over a network.



FIG. 1 shows a prior art network 100 having a controller 104 controlling zombie computers to email spam. The controller 104 first compromises a set of master computers (also referred to as hosts), such as a first master computer 110 and a second master computer 112 (e.g., using vulnerability scanners). The master computers 110, 112 are computers that the controller 104 uses to begin the spam-sending process (or a Denial of Service attack).


Each master computer 110, 112 communicates with and controls one or more zombie computers. The master and zombie computers are typical computers executing typical software applications. For example, the first master computer 110 communicates with a first zombie computer 114, a second zombie computer 116, and a third zombie computer 118. The second master computer 112 communicates with the second zombie computer 116, the third zombie computer 118, and a fourth zombie computer 120. The controller 104 then communicates with the master computers 110, 112 (either directly or through a chain of other hosts that the spammer has compromised) and orders the daemons to send spam to particular email addresses.


Although FIG. 1 is shown with two master computers and with four zombie computers, any number of master computers and zombie computers (in various configurations) may be under the control of the controller 104.



FIG. 2 shows a block diagram of a network 200 having a network analysis module 204 to detect spam generated by zombie computers. FIG. 3 shows a flowchart illustrating the steps performed by the network analysis module 204 to determine when a zombie attack is occurring. The network analysis module 204 maintains a history of the email addresses to which users send email and the email addresses from which users receive email. Many users transmit email messages to a small subset of contacts or in response to email messages that they have recently received. This small subset of contacts, referred to below as a working set, is typically a subset of the total number of email addresses stored in the user's contacts. Each zombie computer 208, 212, 216, 220 has an associated working set 224, 228, 232, 236, such as a list stored in a database.


The network analysis module 204 creates a working set for each computer in a particular network hosted by an ISP in step 300. The network analysis module 204 may associate a working set with a computer by downloading the working set onto the computer. Alternatively, the network analysis module 204 relates a working set to a computer, such as by creating a record in the working set identifying the computer that the working set is associated with.


In accordance with one aspect of the present invention, the network analysis module 204 uses the working set to detect zombie computers. There are typically three checks performed by the network analysis module 204 to determine whether spam is being sent using zombie computers (i.e., a zombie attack).


The first check occurs when the network analysis module 204 determines whether one or more computers start transmitting many email messages outside of their associated working set (i.e., a zombie spew attack). In one embodiment, the network analysis module 204 determines whether more than a first threshold number of email messages are being transmitted from a zombie computer 208, 212, 216, 220 to addresses outside of the working set associated with the first zombie computer 208 in step 304. If so, then the network analysis module 204 determines that a zombie attack is occurring in step 308.


If not, the network analysis module 204 performs its second check on the zombie computers 208-220. The second check is determining whether there are more than a first threshold number of computers transmitting email messages to addresses outside of the computers' associated working set (i.e., a zombie trickle attack) in step 312. Several users emailing messages to addresses outside of their working set periodically is usually a normal occurrence. If, however, the network analysis module 204 determines that a large number of computers that do not normally send emails to addresses outside of their working set suddenly send such emails, the network analysis module 204 determines that a zombie attack (i.e., a zombie trickle attack) is occurring in step 308.


If the network analysis module 204 determines that the second check is not occurring, the network analysis module 204 then continues with a third check. The third check is determining whether more than a second threshold number of computers are transmitting more than a second threshold number of email messages to the same recipient computer (i.e., a Distributed Denial of Service (DDoS) attack) in step 316. Specifically, the daemons of the zombie computers work together and launch a distributed denial of service (DDoS) attack, flooding a targeted computer with packets in an attempt to cripple the computer's operation. If the network analysis module 204 detects that more than a second threshold number of computers are transmitting more than a second threshold number of email messages to the same recipient computer, the network analysis module 204 determines that a zombie attack is occurring in step 308. If not, then the network analysis module 204 has not detected a zombie attack in step 320.


The first threshold number of computers may or may not be related to the second threshold number of computers. In one embodiment, the first threshold is the same as the second threshold. Alternatively, they are different and/or unrelated. Similarly, the first threshold number of email messages may be related to (e.g., the same as) or unrelated to (e.g., different than) the second threshold number of email addresses.


The network analysis module 204 can be located in any position in the network so long as the network analysis module 204 can analyze the communications being transmitted from and being sent to one or more computers in the network 200. Different levels of support are possible, depending on whether the network analysis module 204 is examining the messages sent or the messages sent and received. In one embodiment, there are the following levels of support possible by the network analysis module 204: 1) examining the rates of messages sent, 2) examining the messages sent outside of the users' working sets, and 3) using the messages sent to the users to further define those working sets. Further, any number of network analysis modules can be used in the network 200 to detect a zombie attack.


The previous description describes the present invention in terms of the processing steps required to implement an embodiment of the invention. These steps may be performed by an appropriately programmed computer, the configuration of which is well known in the art. An appropriate computer may be implemented, for example, using well known computer processors, memory units, storage devices, computer software, and other nodes. A high level block diagram of such a computer is shown in FIG. 4. Computer 400 contains a processor 404 which controls the overall operation of computer 400 by executing computer program instructions which define such operation. The computer program instructions may be stored in a storage device 408 (e.g., magnetic disk) and loaded into memory 412 when execution of the computer program instructions is desired. Computer 400 also includes one or more interfaces 416 for communicating with other devices (e.g., locally or via a network). Computer 400 also includes input/output 424 which represents devices which allow for user interaction with the computer 400 (e.g., display, keyboard, mouse, speakers, buttons, etc.). In one embodiment, computer 400 represents the network analysis module 204.


One skilled in the art will recognize that an implementation of an actual computer will contain other nodes as well, and that FIG. 4 is a high level representation of some of the nodes of such a computer for illustrative purposes. In addition, one skilled in the art will recognize that the processing steps described herein may also be implemented using dedicated hardware, the circuitry of which is configured specifically for implementing such processing steps. Alternatively, the processing steps may be implemented using various combinations of hardware and software. Also, the processing steps may take place in a computer or may be part of a larger machine.


The foregoing Detailed Description is to be understood as being in every respect illustrative and exemplary, but not restrictive, and the scope of the invention disclosed herein is not to be determined from the Detailed Description, but rather from the claims as interpreted according to the full breadth permitted by the patent laws. It is to be understood that the embodiments shown and described herein are only illustrative of the principles of the present invention and that various modifications may be implemented by those skilled in the art without departing from the scope and spirit of the invention. Those skilled in the art could implement various other feature combinations without departing from the scope and spirit of the invention.

Claims
  • 1. A method for detecting a zombie attack in a network having a plurality of computers comprising: determining, for each computer in said plurality of computers, a working set of email addresses associated with emails sent by said each computer; anddetecting a zombie attack by at least one of: determining that at least one computer in said plurality of computers is transmitting more than a threshold rate of emails;determining that at least one computer in said plurality of computers is transmitting more than a first threshold number of emails to email addresses outside of its associated working set,determining that a first threshold number of computers in said plurality of computers are transmitting email messages to email addresses outside of their associated working set, anddetermining that more than a second threshold number of computers are transmitting more than a second threshold number of emails to a recipient computer.
  • 2. The method of claim 1 wherein said first threshold number of emails is equal to said second threshold number of emails.
  • 3. The method of claim 1 wherein said first threshold number of computers is equal to said second threshold number of computers.
  • 4. The method of claim 1 further comprising performing network analysis on said each computer to determine a list of email addresses associated with said each computer.
  • 5. The method of claim 4 further comprising determining a working set for said each computer by determining to which email addresses in said list of email addresses said each computer sends email messages.
  • 6. The method of claim 5 further comprising updating said working set.
  • 7. A system for detecting a zombie attack in a network having a plurality of computers comprising: a network analysis module configured to determine, for each computer in said plurality of computers, a working set of email addresses associated with emails sent by said each computer and configured to detect a zombie attack by at least one of: determining that at least one computer in said plurality of computers is transmitting more than a threshold rate of emails;determining that at least one computer in said plurality of computers is transmitting more than a first threshold number of emails to email addresses outside of its associated working set,determining that more than a first threshold number of computers in said plurality of computers are transmitting email messages to email addresses outside of their associated working set, anddetermining that more than a second threshold number of computers are transmitting more than a second threshold number of emails to a recipient computer.
  • 8. The system of claim 7 wherein said first threshold number of emails is equal to said second threshold number of emails.
  • 9. The system of claim 7 wherein said first threshold number of computers is equal to said second threshold number of computers.
  • 10. The system of claim 7 wherein said network analysis module performs network analysis on said each computer in said plurality of computers to determine a list of email addresses associated with said each computer.
  • 11. The system of claim 10 wherein said network analysis module determines said working set by determining to which email addresses in said list of email addresses said each computer sends email messages.
  • 12. A system for detecting a zombie attack in a network having a plurality of computers comprising: means for determining, for each computer in said plurality of computers, a working set of email addresses associated with emails sent by said each computer; andmeans for detecting a zombie attack by at least one of: means for determining that at least one computer in said plurality of computers is transmitting more than a threshold rate of emails;means for determining that at least one computer in said plurality of computers is transmitting more than a first threshold number of emails to email addresses outside of its associated working set,means for determining that a first threshold number of computers in said plurality of computers are transmitting email messages to email addresses outside of their associated working set, andmeans for determining that more than a second threshold number of computers are transmitting more than a second threshold number of emails to a recipient computer.
  • 13. The system of claim 12 wherein said first threshold number of emails is equal to said second threshold number of emails.
  • 14. The system of claim 12 wherein said first threshold number of computers is equal to said second threshold number of computers.
  • 15. The system of claim 12 further comprising means for performing network analysis on each computer to determine a list of email addresses associated with said each computer.
  • 16. The system of claim 15 further comprising means for determining said working set by determining to which email addresses in said list of email addresses said each computer sends email messages.