If you happened to be at the Black Hat security conference earlier this month in Las Vegas, and you wandered by the Blue Coat booth, you would have seen some rather cool-looking art on the booth panels. Here is one of the pictures (turned sideways for a better fit in the blog):
As you can see, there has been a huge leap from our first generation malware network graphs. For one thing, the color scheme is easier to read: the red dots are malicious hosts (all flagged by WebPulse’s “Background Checker” module), the green dots are known good/popular sites, and the yellow dots are everything in between.
But it isn’t just cool eye candy. There is something important going on in the above graph that’s missing from an older one. Take a look and see if you can see what it is:
Bonus points if you said “the malware ‘trees’ are hooked together in the new version”.
In a lot of cases, as we’ve probed deeper in MDNs (malware delivery networks), we’ve found that what initially appeared to be separate networks were merely sub-networks of a larger organization.
Thinking about this reminded me of an interesting tree called the quaking aspen, found in the Rocky Mountains. These beautiful trees (below) are actually part of large “clonal colonies” — that is, the individual trunks in a grove share a common root system that they grew from as shoots, and so the “trees” are genetically identical to each other. In fact, one such colony has been given a name: “Pando” (see Wikipedia for more). Pando has an estimated 47,000 individual trunks, covers an area of about 43 hectares, has an estimated mass of 6 million kg, and is thought to be at least 80,000 years old. As such, it is currently believed to be both the largest and oldest living thing on the planet. (And even larger/older examples may exist.)
In other words, if we hadn’t already named the biggest MDN we’ve found “Shnakule”, we could have called it “Pando” instead…
Leave a reply