The value and power mediated by the global, interconnected systems of today’s Internet attract adversaries who seek to exploit these systems for economic, political or social gain.  Yet, the underlying complexity of Internet infrastructure, the layering of its services, and the indirect nature of its business relationships can make it challenging to identify even the existence of adversaries manipulating systems for their benefit.

In this talk I present systems and methods to uncover and explore two such large-scale adversarial activities, Internet-wide cybercrime and censorship.  I begin with an in-depth exploration of ZeroAccess, a complex peer-to-peer botnet which served as a delivery platform for advertising abuse malware for more than four years and impacted millions of users. I identify innovative attacks and fraudulent business relationships within the advertising ecosystem stemming from complex multi-hop ad reseller chains, resulting in millions of dollars in fraud per month. These relationships and explorations were used as a focal point for fraud remediation and a takedown of the botnet.

Next I present Augur, a measurement technique and accompanying system that uses highly noisy TCP/IP side channels to measure reachability between two Internet locations without access to the endpoints or the path between them. Augur uses sequential hypothesis testing to provide statistical confidence in the face of network and side channel noise. I then use Augur to perform a global censorship measurement study of the blocking practices of more than 180 countries.