The prolific spread of mobile phones through all corners of the globe has only been matched by their rapid increase in computing power. As cellular phones become further integrated into the fabric of everyday life, their value to attackers will rise accordingly. As a result, the widespread debilitating outbreak of self-propagating malware in the cell phone environment is a matter of "when", rather than "if." Although self-propagating malware is well understood in the Internet, mobile phone networks have very different characteristics in terms of topologies, services, provisioning and capacity, devices, and communication patterns. To understand the propagation of malware in this new environment, we have developed an event-driver simulator that captures the characteristics and constraints of mobile phone networks. Key elements of the simulator are a network topology generator (RACoON), which creates realistic topologies and provisioned capacities of the network infrastructure, and a social network topology generator, which models address books and the resulting contact graph that would be used by propagating malware. Using the simulator, we evaluate the speed and severity of random-contact worms in mobile phone networks, characterize the denial-of-service effects such worms would have on the network, investigate techniques that malware writers could use to accelerate the rate of infection, and, finally, explore various methods network operators could take to defend against such attacks.

Pre-2018 CSE ID: CS2007-0894

To evade blacklisting, the vast majority of spam email is sent from exploited MTAs (i.e., botnets) and with forged "From" addresses. In response, the anti-spam community has developed a number of domain-based authentication systems -- such as SPF and DKIM -- to validate the binding between individual domain names and legitimate mail sources for those domains. In this paper, we explore an alternative solution in which the mail recipient requests a real-time affirmation for each e-mail from the declared sender's MX of record. The "Occam" protocol is trivial to implement, offers authenticating power equivalent to SPF and DKIM and, most importantly, forces spammers to deploy and expose blacklistable servers for each domain they use during a campaign. We discuss the details of the protocol, compare its strengths and weaknesses with existing solutions and describe a prototype implementation in Sendmail.

Pre-2018 CSE ID: CS2007-0893

Few Internet security issues have attained the universal public recognition or contempt of unsolicited bulk email -- SPAM. The engine that drives this enormous activity is not spam itself -- which is simply a means to an end -- but the various money-making ``scams'' (legal or illegal) that extract value from Internet users. In this paper, we focus on the Internet infrastructure used to host and support such scams. Unlike mail-relays or bots, scam infrastructure is directly implicated in the spam profit cycle and thus considerably rarer and more valuable. Our goal is to measure and analyze this scam infrastructure to better understand the dynamics and business pressures exerted on spammers. To identify scam infrastructure, we employ an opportunistic technique called spamscatter. The underlying principal is that each scam is, by necessity, identified in the link structure of associated spams. To this end, we have built a system that mines email, identifies URLs in real time and follows such links to their eventual destination server. We further identify individual scams by clustering scam servers whose rendered Web pages are graphically similar using a technique called image shingling. Using the spamscatter technique on a large real-time spam feed (roughly 150,000 per day) we identify and analyze over 2,000 distinct scams hosted across more than 7,000 distinct servers.

Pre-2018 CSE ID: CS2007-0887