CAP6135: Malware and Software
Vulnerability Analysis
Spam and Phishing
Cliff Zou
Spring 2013
Acknowledgement

This lecture uses some contents from the lecture notes
from:


Dr. Dan Boneh (Stanford): CS155:Computer and Network
Security
Jim Kurose, Keith Ross. Computer Networking: A Top Down
Approach Featuring the Internet, 5th edition.
2
Electronic Mail
user mailbox
Three major components:



user
agent
user agents
mail servers
simple mail transfer protocol: SMTP
User Agent

a.k.a. “mail reader”

composing, editing, reading mail
messages

e.g., Eudora, Outlook, elm,
Netscape Messenger

outgoing, incoming messages
stored on server
outgoing
message queue
mail
server
SMTP
SMTP
mail
server
user
agent
3
SMTP
user
agent
user
agent
mail
server
user
agent
user
agent
How email works:
SMTP
(RFC 821, 1982)
Some SMTP Commands:
MAIL FROM: <reverse-path>
RCPT TO: <forward-path>
Repeated
for each
RCPT TO: <forward-path>

recipient
If unknown recipient: response “550 Failure reply”
DATA
email headers and contents
.

Use TCP port 25 for connections
4
Sample fake email sending
S: 220 longwood.cs.ucf.edu
C: HELO fake.domain
S: 250 Hello crepes.fr, pleased to meet you
C: MAIL FROM: <alice@crepes.fr>
S: 250 alice@crepes.fr... Sender ok
C: RCPT TO: <czou@cs.ucf.edu>
S: 250 czou@cs.ucf.edu ... Recipient ok
C: DATA
S: 354 Enter mail, end with "." on a line by itself
C: from: “fake man” <fake@fake.fake.fake>
C: to: “dr. who” <who@who>
C: subject: who am I?
C: Do you like ketchup?
C: How about pickles?
C: .
S: 250 Message accepted for delivery
C: QUIT
S: 221 longwood.cs.ucf.edu closing connection
5
Try SMTP interaction for yourself:



telnet servername 25
see 220 reply from server
enter HELO, MAIL FROM, RCPT TO, DATA, QUIT
commands
 “mail from:” the domain may need to be existed
 “rcpt to:” the user needs to be existed
 A mail server may or may not support “relay”


CS email server supports relay from Eustis machine
“from:” “to:” “subject:” are what shown in normal
email display
6
Using Telnet

On department eustics Linux machine:



telnet longwood.cs.ucf.edu 25
In telnet interaction, “backspace” is not supported.
You can type “ctrl+backspace” to erase previous two
characters
On Windows 7 machine:


Telnet is not installed by default, check this tutorial
for install:
http://technet.microsoft.com/enus/library/cc771275%28v=ws.10%29.aspx
7

Outside campus network, department email server does
not accept:


You need to first setup VPN to campus network, then use telnet
How to set up VPN:


https://publishing.ucf.edu/sites/itr/cst/Pages/NSvpn.aspx
Even inside campus network, directly telnet EECS email server
will not work now because of the CS server’s new restriction

You can connect to Eustis machine, then run telnet command
inside Eustis machine.
8
Email in the early 1980’s
Network 1
Mail
relay
Network 2
sender
Mail
relay
Network 3
• Mail Relay: forwards mail to next hop.
• Sender path includes path through relays.
9
recipient
Why Email Server Support Relay?

Wiki tutorial:



Old days network constraint makes it necessary
Email agent uses SMTP to send email on behalf of a user


The user could choose which email address to use as the sender
Email server supports email group list:


http://en.wikipedia.org/wiki/Open_mail_relay
The “sender” shown in email is the group list address, but the real
sender is a different person
Closing Relay:




Messages
Messages
Messages
Messages
from local IP addresses to local mailboxes
from local IP addresses to non-local mailboxes
from non-local IP addresses to local mailboxes
from clients that are authenticated and authorized
10
Spoofed email

SMTP: designed for a trusting world …

Data in MAIL FROM totally under control of sender


… an old example of improper input validation
Recipient’s mail server:


Only sees IP address of direct peer
Recorded in the first From header
11
The received header

Sending spoofed mail to myself:
From someone@somewhere.com (172.24.64.20) ...
From
relays


Received: from cs-smtp-1.stanford.edu
Received: from smtp3.stanford.edu
Received: from cipher.Stanford.EDU
Received header inserted by relays --- untrustworthy
From header inserted by recipient mail server
12
Spam Blacklists

RBL: Realtime Blackhole Lists



Effectiveness (stats from spamhaus.org):



Includes servers or ISPs that generate lots of spam
spamhaus.org , spamcop.net
RBL can stop about 15-25% of incoming spam at SMTP
connection time,
Over 90% of spam with message body URI checks
Spammer goal:

Evade blacklists by hiding its source IP address.
13
Spamming techniques
Open relays

SMTP Relay forwards mail to destination
1.
2.
3.
4.

Bulk email tool connects via SMTP (port 25)
Sends list of recipients (via RCPT TO command)
Sends email body --- once for all recipients
Relay delivers message
Honest relay:


Adds Received header revealing source IP
Hacked relay does not
15
Example: bobax worm

Infects machines with high bandwidth


Slow spreading:



Exploits MS LSASS.exe buffer overflow vulnerability
Spreads on manual command from operator
Then randomly scans for vulnerable machines
On infected machine:


(spam zombie)
Installs hacked open mail relay. Used for spam.
Once spam zombie added to RBL:

Worm spreads to other machines
16
Open HTTP proxies

Web cache (HTTP/HTTPS proxy) -- e.g. squid
xyz.com
URL: HTTPS://xyz.com
ClientHello
CONNECT xyz.com 443
ClientHello
Squid
Web
Cache
ServerHello

To spam:
ServerHello
CONNECT SpamRecipient-IP 25
SMTP Commands
Squid becomes a mail relay …
17
Web
Server
Finding proxies

Squid manual: (squid.conf)
acl Safe_ports port 80 443
http_access deny !Safe_ports

URLs for other ports will be denied

Similar problem with SOCKS proxies

Some open proxy and open relay listing services:

http://www.multiproxy.org/
http://www.stayinvisible.com/
http://www.blackcode.com/proxy/
http://www.openproxies.com/
(20$/month)
18
Open Relays vs. Open Proxies

HTTP proxy design problem:

Port 25 should have been blocked by default


Otherwise, violates principal of least privilege
Relay vs. proxy:


Relay takes list of address and send msg to all
Proxy: spammer must send msg body to each recipient through
proxy.
 zombies typically provide hacked mail relays.
19
Thin pipe / Thick pipe method

Spam source has


High Speed Broadband connection (HSB)
Controls a Low Speed Zombie (LSZ)
TCP handshake
LSZ
Target
SMTP
Server
TCP Seq #s
HSB


SMTP bulk mail
(Source IP = LSZ)
Assumes no egress filtering at HSB’s ISP
Hides IP address of HSB. LSZ is blacklisted.
20
Bulk email tools

(spamware)
Automate:

Message personalization


Also test against spam filters (e.g. spamassassin)
Mailing list and proxy list management
21
Send-Safe bulk emailer
22
Anti-spam methods
The law: CAN-SPAM act

(Jan. 2004)
Bans false or misleading header information

To: and From: headers must be accurate

Prohibits deceptive subject lines

Requires an opt-out method

Requires that email be identified as advertisement


... and include sender's physical postal address
Also prohibits various forms of email harvesting
and the use of proxies
24
Effectiveness of CAN-SPAM


Enforced by the FTC:

FTC spam archive spam@uce.gov

Penalties:
11K per act
Dec ’05 FTC report on effectiveness of CAN-SPAM:

50 cases in the US pursued by the FTC

No impact on spam originating outside the US

Open relays hosted on bot-nets make it difficult
to collect evidence
http://www.ftc.gov/spam/
25
Sender verification I: SPF
(sender policy framework)

Goal: prevent spoof email claiming to be from HotMail

Why?
Bounce messages flood HotMail system
MAIL FROM
Recipient hotmail.com
xyz@hotmail.com
Mail
Sender
Server
64.4.33.7
(MUA)
64.4.33.8
hotmail.com:
SPF record:
64.4.33.7
DNS
64.4.33.8
Is SenderIP
in list?
More precisely:
hotmail.com TXT v=spf1 a:mailers.hotmail.com -all
26
Sender verification II: DKIM

Domain Keys Identified Mail (DKIM)


Same goal as SPF. Harder to spoof.
Basic idea:

Sender’s MTA signs email


Receiver’s MUA checks signature


Including body and selected header fields
Rejects email if invalid
Sender’s public key managed by DNS

Subdomain:
_domainkey.hotmail.com
27
Graylists

Recipient’s mail server records triples:



First time: triple not in DB:





(sender email, recipient email, peer IP)
Mail server maintains DB of triples
Mail server sends 421 reply:
Records triple in DB
“I am busy”
Second time (after 5 minutes): allow email to pass
Triples kept for 3 days (configurable)
Easy to defeat but currently works well.
28
Puzzles and CAPTCHA

General DDoS defense techniques

Puzzles: slow down spam server


Every email contains solution to puzzle where
challenge = (sender, recipient, time)
CAPTCHA:



Completely Automated Public Turing test to tell Computers and
Humans Apart
Every email contains a token
Sender obtains tokens from a CAPTCHA server



Say: 100 tokens for solving a CAPTCHA
CAPTCHA server ensures tokens are not reused
Either method is difficult to deploy.
29
SpamAssasin

Wiki tutorial:


http://en.wikipedia.org/wiki/SpamAssassin
Mainly a rule-based spam filter

Many rules to give scores for all fields in an email




Final decision is the combined score compared with a threshold
Has false positive (treat normal as spam), and false negative
(treat spam as normal)
False positive is very damaging!


Nobody wants to lose an important email!
Also contains Bayesian filtering to match a user’s
statistical profile


Email header, special keywords in email, URLs in email, images in
email, …..
Need known “ham” and “spam” email samples for training
30
Part II:
Phishing & Pharming
Oct. 2004
to July 2005
32
APWG
33
Note:
no SSL.
Typically: short lived sites.
34
Common Phishing Methods

Often phishing sites hosted on bot-net drones.


Move from bot to bot using dynamic DNS.
Use domain names such as:
www.ebay.com.badguy.com

Use URLs with multiple redirections:
http://www.chase.com/url.php?url=“http://www.phish.com”

Use randomized links:

http://www.some-poor-sap.com/823548jd/
35
Industry Response

Anti-phishing toolbars: Netcraft, EBay, Google, IE7

IE7 phishing filter:



Whitelisted sites are not checked
Other sites: (stripped) URL sent to MS server
Server responds with “OK” or “phishing”
36
Pharming

Cause DNS to point to phishing site

Examples:

1.
DNS cache poisoning
2.
Write an entry into machine’s /etc/hosts file:
“ Phisher-IP Victim-Name ”
URL of phishing site is identical to victim’s URL

… will bypass all URL checks
37
Response: High assurance certs

More careful validation of cert issuance

On browser (IE7) :
… but most phishing sites do not use HTTPS
38
Other industry responses:
BofA, PassMark
ING bank login
39
Industry Response:
Bank of Adelaide
40
ING PIN Guard
41
T.G.s: The next phishing wave



Transaction generation malware:

Wait for user to login to banking sites

Issue money transfer requests on behalf of user.
Reported malware in UK targeting all four major banks.
Note: These are social engineering attacks.
Not just a windows problem.
42
Some ID Protection Tools

SpoofGuard:

Alerts user when viewing a spoofed web page.

Uses variety of heuristics to identify spoof pages.


(NDSS ’04)
Some SpoofGuard heuristics used in
eBay toolbar and Earthlink ScamBlocker.
PwdHash:
(Usenix Sec ’05)

Browser extension for strengthening pwd web auth.

Being integrated with RSA SecurID.
43
Password Hashing
(pwdhash.com)
Bank A
=
pwdA
pwdB
Site B

Generate a unique password per site



HMACfido:123(banka.com)
HMACfido:123(siteb.com)
 Q7a+0ekEXb
 OzX2+ICiqc
Hashed password is not usable at any other site
44
Our New Proposed Approach: PwdIP-Hash

Problem of PwdHash:



Basic Idea: User password is first hashed with remote
server’s IP address + domain name, then transmit to
the remote server
Reason: a remote server cannot lie about its IP address


TCP connection has already set up, very hard to lie
Result: The remote server receives a hashed password



cannot deal with Phishing attack
The real server has the plain password and can verify
The phishing server cannot use the hashed password for login
See our prototype at:


http://www.cs.ucf.edu/~czou/PwdIP-Hash/
Paper published in conference IEEE NCA 2010.
45
Take home message

Deployed insecure services (proxies, relays)



Quickly exploited
Cause trouble for everyone
Current web user authentication is vulnerable
to spoofing

Users are easily fooled into entering password
in an insecure location
46