Botnet Hunting with ZMap - Continuing the Hunt!

Credit: Ricky “HeadlessZeke” Lawshae

 

Last month, I wrote about a new approach to Mapping and Quantifying Botnet Infections using internet-scale port scanners like ZMap. I have since performed a follow-up scan, and wanted to share what we learned by comparing the results of the two scans.

 

Two Steps Forward; One Step Back

For the most part, things appear to have gotten better. Four out of five of the ports that Zero Access listens on saw fairly significant drops in the number of infected hosts responding to my probes, with port 14671 shedding an impressive 1500 hosts. The only exception was port 16464, which inexplicably went up slightly since last month.

 

Port

Infected Hosts in Scan 1

Infected Hosts in Scan 2

Difference

16461

239

176

63

16464

3503

3732

-229

16465

1285

1238

47

16470

2192

1798

394

16471

4230

2713

1517

 

 

 

 

Total Unique Hosts

10500

7873

2627

 

The same was true when the list was broken down by ISP. While the top 10 stayed mostly the same, there were decreases almost across the board. Comcast killed more than 270 infected hosts, or about 27% of its total, and some companies like BSNL and Korea Telecom decreased by around half. But then companies like Cantv, a Venezuelan telecom, saw significant gains in infection rates (Cantv is now sixth on the list of most infected, compared to twelfth last month). This data shows that while there is an overall trend in the positive direction, it is far from universal.

 

And Speaking of Venezuela

Infection rates increased in almost every South American country. Chile went up by 21, Argentina by 61, and Venezuela went up by an impressive 80. While a couple of countries appear ostensibly to be infection free now, new ones are starting to pop up like Paraguay and Peru. The picture in South America seems to be bleaker than in most places.

 

ScreenHunter_02 Mar. 05 11.42.jpg

 

Side-by-Side Comparison of S. American Infected Hosts

 

The Takeaway

 

Two months’ worth of data is hardly enough to paint a really clear picture of what exactly is going on, but we can start to infer some interesting patterns. Perhaps a popular IPS or firewall just added port 16471 to its Zero Access detection logic, leading to the large drop in infected hosts. The increases in Venezuela and Argentina may be related to malicious parties taking advantage of current events in those areas (it would be interesting to see if the infection rate continues to rise in Brazil as the World Cup approaches). This exercise was meant to demonstrate the potential for what an approach like this could do for the process of malware tracking and defense, and for the most part I think it has succeeded. As always, feel free to let me know your thoughts.

 

 

Comments
chandru4u | ‎03-14-2014 12:03 AM

Thanks for Sharing.. :-)

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Steve Povolny manages the Digital Vaccine team at HP TippingPoint. The team is composed of security researchers and filter/signature develo...
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.