A couple of months ago, we showed off a sample of our next-generation malware delivery network (“malnet”) graphs.
Since then, we’ve pressed the wizard behind them (Jon) to come up with a way to animate the graphs, so that we could show them in a time-lapse video. Here’s what he’s come up with so far. (And it will also serve as a test for us to see how well the blog can handle video clips…)
First, a quick explanation of what the video is portraying:
Essentially, this is a “day in the life” of a malnet (actually, one subnet of a malnet, since otherwise it would get too crowded). Jon basically took one set of 24-hour data, created nodes for each new malware site in this malnet as they showed up in the logs, and dropped them into the graph in intervals matching their time-stamps in the logs. This created a “real-time” view, which he then condensed down to two minutes. The engine periodically pauses and rebalances the graph to keep proportional spacing.
The Green nodes represent well-known, high-traffic, innocent sites. Visitors there encountered some sort of bait or trap that pulled them into the malnet. The Red nodes are the individual malicious sites used by the malnet that day. The Yellow nodes are simply “everything in between” — some of these are certainly in cahoots with the Red nodes, but some may be innocent-but-hacked (or tricked) sites. Also, for this version, I asked Jon to mask the individual domain/subdomain names of the malicious sites, so as not to make it too easy for this particular Bad Guy to see how much we know about his network, but still give you the flavor of the variety of site names he’s using.
In case you missed the details, or lost track due to the rebalancings, the Green node that ends up in the largest cluster of Red nodes is google.com (and many of the other Green nodes are other Google sites), indicating that we’re mostly looking at a search engine poisoning attack.
We hope you like it!
(For additional sharing options, we’ve also posted a smaller version to YouTube.)
–C.L. & J.D.
Leave a reply