Commtouch Research Center – A Cool Botnet Tool


Last month we released our new service – GlobalView Zombie Intelligence. Commtouch Zombie Intelligence is a real-time feed of data containing zombies IPs along with rich information about their activity and behavior.
As a result of our research and development in the field of zombies and bots, we are constantly gathering a vast amount of data about zombies and their behavior. We were starting to get requests from people who wanted to know more about it, and we thought that it only make sense to publish some of what we know in our Zombie Lab Online Statistics.
I would like to use this post to introduce some of our cool web tools for the zombie intelligence service.

Active Zombies

The most malicious activity on the Internet today originates from botnets,that is, zombies acting collectively. Zombies are equal-opportunity villains, serving multiple purposes such as senders of malware, phishing, and spam outbreaks, as well as participating in DDoS, data theft, click fraud and credit card fraud. Although in any given moment millions of machines are infected by bots, they are not necessarily always active – that is, only when the bot software receives a command from its master, then it wakes-up and start doing bad things.
In this graphs you can see the amount of active zombies in a given day, according to Commtouch findings. What’s interesting about it, is that it allows you to breakdown the information by two options: IP type or activity level.
The IP type breakdown shows how many IPs are dynamic (usually associated with consumers) and how many static (usually associated with businesses and organizations).

The activity level is a measurement that was developed by Commtouch to differentiate the activity of the zombies. For example, a zombie that was labeled with a high level of activity was probably spotted with a high frequency doing a lot of malicious activity.

Active Zombies

Global Distribution of Zombies IPs

This is a pie chart that maps geographical location of infected machines. When I first looked at the result, I was a little bit surprised to see that overall there is a normal distribution between different regions in the world. I would have expected to see more infected machines in countries were security awareness is not as developed. I guess they proved me wrong – zombies are equal-opportunity about their hosts.
I guess that it would be interesting to keep track in this tool to try and see correlations between new outbreaks and the ratio of infected countries.

Zombies Global Distribution

Zombie Hot Spot

This is my favorite tool. This is basically a tool that maps the zombies with a domain, so you can see the top ten domains with the most infected machines. As a result of ISP’s large subscriber base, it turned out to be the top ten ISP list with the most infected subscribers.
What’s also interesting is that the tool lets you change the timeframe, so you can see the top ten for the day, or to see the top ten of the entire month.

There have been a lot of talks about ISPs’ obligations and responsibilities regarding the malicious traffic coming out of their networks. Some say that they have to take a more proactive approach and some think that consumer and businesses need to be more responsible for their machines. So I guess you can look at the data depending on your point of view: is it a list that shows the top ten ISPs with the least secure subscribers, or a list of ISP’s with a less proactive approach? I will let you decide on that one.

Go back