So how do we uncover botnets? If you google for
botnet tracking, you will find that
honeypots are often listed in the first page of search results. The strength of honeypots lies in their effectiveness at collecting malware binaries, which are needed to gain a deeper understanding of botnets. As I only track botnets so as to notify unsuspecting victims, and have no interest nor expertise to study the inner working of malware, honeypots are not really made for me. How to attract botnets to interact with honeypots is also a problem.
As I said before, my botnet detection strategy is
to follow the spam upstream. According to
the Q2/June edition of the MessageLabs Intelligence monthly report, 83.2% of all spam was sent via botnets. The fact is, botnets has accounted for more than half of global spam for several years. Isn't that convenient for us if we want to find botnets? If you manage your own mail server, and get a lot of spam every day, perhaps your server have been interacting with botnets all the time. The remaining problem, is how to identify botnet computers.
Thanks to
greylisting, mail servers can easily filter out incoming spam from botnets. The SMTP engines built within malware often are not full blown SMTP servers, as malware authors tend to cut off the retry function of SMTP protocol. Greylisting takes advantage of that and is able to differentiate botnet computers from real mail servers by their lack of retry behavior. To extend from this, mail sending hosts which could not pass greylisting are very likely to be botnet computers, which are exactly what we look for.
Greylisting is a very powerful botnet tracking technique. Once a botnet computer begins to send out malicious mail, be it spam, virus or phishing mail, it will soon be detected by greylisting. If mail servers deploying greylisting could contribute their mail logs to compile the IP address list of suspected botnet computers, the useful life of botnets to cyber criminals will be greatly shortened, which will eventually lead to the demise of botnets. At least it should reduce bot-sent spam to a minimun, I hope.
I have posted
my greylisting implementation, comments or questions are welcomed.