Thursday, January 3, 2008

Storm/CME711 has a temper


So I spend a lot of my time figuring out ways to better detect some of the newer bot/malware variants in enterprise environments. Part of what I do, when I have time, is to pull down some malware and analyze it. By analyzing it and looking at network traffic, peers, etc... it is possible to build up signatures to detect the latest variant. Nothing groundbreaking and horribly reactive. This seems to be the only way to really detect it on the network. Automation is getting harder and harder and requires more and more human interaction as the malware evolves.

Anyway, I was modifying a script to pull down the latest variant from a known domain that hosts the malware. It seems that I downloaded one too many in a too short a period of time. Storm DOS'ed me. :) It's still going on from a few IP Addresses, nothing too impressive, probably more of a warning than anything.

So looking at some data from December 25th (I performed 14500+ lookups on merrychristmasdude.com. Careful, this is still a live domain) I mapped the IP to it's geographic region.

The previous day there were only about 1000 unique IP Addresses being used to host this domain. The geographic spread is interesting. The USA has the dubious honor of having the most infected hosts. These numbers can be skewed by many outside factors including the time I performed the lookups in relation to the time that the latest spam email containing links to the malware was released. (Some people were still sleeping :))

Here are the top 25 countries from that dataset:

China 47
Brazil 49
Bulgaria 53
Chile 57
Hong Kong 79
India 90
Hungary 97
Japan 99
Sweden 121
Germany 136
United Kingdom 137
Taiwan 145
Netherlands 153
Spain 174
Canada 194
Australia 196
Russian Federation 198
Turkey 198
Argentina 220
France 237
Poland 368
Romania 522
Korea, Republic of 814
Unknown 3208 [These 'unknown' IP Addresses were not in the GeoIP database I used]
United States 6427

Doing reverse lookups on the IP Addresses show most to be home DSL/Cable modem users. When will people learn that the email is not from a friend? Heh. Oh well.

dean
dean de beer

No comments: