 |
|
 |
Technical ReportsUpdated on Wed, 01/19/2011 - 11:05am
The following Technical Reports from the UAB Computer Forensics Research Laboratory are available as PDF documents at the bottom of this page:
UABCIS-TR-2011-011811: "Notes on the Waledac Wake-Up from the UAB Spam Data Mine"Several security blogs and journalists have made note of the fact that the Waledac botnet returned this year for its traditional New Years greeting. The spam continued until January 5th, when the botnet abruptly seemed to halt. This technical report shares observations about the “Waledac Wake-Up” by using two associated domains as starting points and demonstrating the results from the UAB Spam Data Mine.
UABCIS-TR-2010-120510: "Manual Spam Clustering with the UAB Spam Data Mine"In this report, we provide an example of a manual clustering methodology that can be used by an analyst to gain deeper insights into sources of spam. A common query received by the UAB Computer Forensics Research Laboratory is "can you tell me more about this spam message" where a single spam message is used as the basis for the query. This report serves to document the manual process of querying the data mine, both as a demonstration of the types of information an investigator may request, and to demonstrate the manual processes so they may be automated by further research. (Please note that many of the processes have been partially automated already.) In the example used in this report, we begin with a single email being used to sell controlled substances, and demonstrate how that email can link to identify many thousands of related emails, and to document portions of the botnet and hosting infrastructure used to spam them.
UABCIS-TR-2010-120410: "URL Shorteners Used by Online Drug Dealers"While reviewing spam messages advertising Controlled Schedule II Drugs, including Hydrocodone, Percocet, and Vicodin, spam analysts working in the UAB Spam Data Mine discovered evidence that criminals are using URL shortening services to hide the domains used to sell their drugs. By not using a domain name in the spam, criminals may claim their domains have not been used for spamming services. This report documents some of this usage in spam messages archived in the UAB Spam Data Mine. When reviewing a list of domains that seemed to be in a cluster, many of the domain names, such as “cheaprx-or.com” and “exclusiverefill.ru” and “genuinemypharm.ru” were clearly domain names used by criminals to sell drugs. Less clear were the short domain names we found. Many examples are given for each of the URL shortening services listed below. 0tw.it 1lnk.in 3x8.fr 4ul.us 6.md a.md b23.ru bit.ly cd4.me chilp.it clck.ru cl.lk firsturl.de flx.im fon.gs gurl.es hurl.me i5.be id.tl itshrunk.com l2l.at ln-s.ru lru.jp miniurl.com mni.me nn.nf o-x.fr pcw.ro qiq.im qwx.si retwt.me ri.ms ru.ly shrunkin.com sn.im snipr.com snipurl.com snurl.com sqi.sh su.sg tinyurl.com tinyvid.io togoto.us to.ly ub0.cc urlcorta.es urlcut.com urlzen.com vl.am xxsurl.de yrn.me PLEASE NOTE THIS IS AN EXTREMELY LONG DOCUMENT, INCLUDING SCREEN SHOTS and thousands of example URLs. Attached FilesInformation about the Jan 2011 Waledac spam
A controlled substance spam query example
Thousands of examples of URL shorteners being used for drug websites
|
