UC San Diego

In this paper, email addresses targeted by several botnets including Grum, MegaD, Pushdo, Rustock, Srizbi, and Storm are analyzed for two goals. These addresses are organized into various lists which were gathered from these botnets. The first goal of this analysis is to determine how each botnet collected the addresses they send spam to solely from the addresses in the lists. This is performed using Google searches, by reviewing the duplicated and invalid addresses within each list, and by examining the addresses shared between lists. The second goal is to determine if a classifier can be created from the domain distributions of the addresses in these lists. This classifier must be able to correctly identify the source botnet from a set of targeted addresses and must correctly distinguish between botnets. The top-level (TLD), country-code (ccTLD), and registered domain distributions will be used in this analysis