Category Archives: Security visualization

As networks become ever more complex, securing them becomes more and more difficult. The solution is visualization. Using today’s state-of-the-art data visualization techniques, you can gain a far deeper understanding of what’s happening on your network right now. You can uncover hidden patterns of data, identify emerging vulnerabilities and attacks, and respond decisively with countermeasures that are far more likely to succeed than conventional methods.

Webs.com Botnet Activities

Webs.com is a Web hoster how permit his users to create a personal, group, or small business website for free. Webs.com is also providing a free subdomain for each created account (ex : http://yourname.webs.com).

Since the start of our HoneyNet in February 2009 we have directly observe that some malware’s where located on Webs.com how participate actively to a bonnet construction and propagation.

Webs.com server, how is hosting the malware’s, has the IP 216.52.115.50. Since February 2009 to end August 2010, Webs.com botnet is composed of few different malware hoisters, has generate 2 978 events and 70 attackers have call the botnet files located on the hoster servers.

US, Germany and Colombia are the countries how are the most participating to the botnet activity in term of events. US and China are the countries how are hosting part of the botnet since more than 100 days.

August 2010 was the more active month in term of events, March 2010 the month with the most distinct attackers. February and April 2010 the months with the most detected hosters.
Since Jun 2010 we can see that the activity of the botnet is increasing drastically.
Interesting point the Webs.com, FileAve.com, the Kortech.cn and the Interfree.it botnets are linked together between some few hosters. Just check the available Afterglow visualization of the interaction between the botnets.

e107 RCE EDB-ID 12715 under monitoring

Previously I wrote a blog post about the ByroeNet/Casper-Like bot scanners, and relate that the most important evolution of these scanners where the integration of e107 RCE (EDB-ID : 12715) and LFI vulnerabilities exploitations. I created a rule to monitor precisely the activity of theses e107 dedicated exploitations.

Here under you can find real time graphs for the e107 RCE vulnerability.

Monthly event activity for rule 1010043
Monthly event activity for rule 1010043
Montly TOP 10 Source IPs for rule 1010043
Montly TOP 10 Source IPs for rule 1010043

MaMa / Casper / plaNETWORK / sun4u Bot Search scanners under monitoring

Previously I wrote a blog post about the ByroeNet/Casper-Like bot scanners, and adapted some ET rules in order to detect these bots activities.

The 1010041 rule focus on all “MaMa” scanners (MaMa CaSpEr, MaMa CyBer, MaMa ebes, etc.), the 1010040 rule focus on all “Bot Search” scanners (b3b4s, Casper, dex, Jcomers, kmccrew, plaNETWORK, sasqia, sledink, etc.) and the ET 2011244 rule focus on all “sun4u” scanners (Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u), etc.).

Until first August the rules where under testing, so the previous values are incorrect.

Here under you can find real time graphs for the 3 different rules.

Monthly event activity for rule 1010040
Monthly event activity for rule 1010040
Monthly event activity for rule 1010041
Monthly event activity for rule 1010041
Monthly event activity for rule 2011244
Monthly event activity for rule 2011244
Montly TOP 10 Source IPs for rule 1010040
Montly TOP 10 Source IPs for rule 1010040
Montly TOP 10 Source IPs for rule 1010041
Montly TOP 10 Source IPs for rule 1010041
Montly TOP 10 Source IPs for rule 2011244
Montly TOP 10 Source IPs for rule 2011244

Interfree.it Botnet Activities

Interfree.it is an Internet Service provider how give to his users a free email and a free web site hosting space. Interfree.it is also providing a free sub domain for each created account (ex : http://yourname.interfree.it).

Since the start of our Honey Net in Feb. 2009 we have directly observe that some malware scripts where located on Interfree.it and participate actively to a bonnet construction and propagation.

Interfree.it server, how is hosting the major botnet script, has the IP 213.158.72.68. Since Feb. 2009 to end Jun 2010, Interfree.it botnet is composed of few different malware hosters, has generate 2 807 events and 169 attackers have call the botnet files located on the hosters servers.

Italy, US and Russia are the countries how are the most participating to the botnet activity in term of events. Italia and US are the countries how are hosting part of the botnet since more than 100 days. Interfree.it botnet could be considered as a small botnet.

May 2010 was the more active month in term of events, May 2010 the month with the most distinct attackers and March 2010 the month with the most detected hosters.

Since April 2010 we can see that the activity of the botnet is increasing.

Interesting point the FileAve.com, the Kortech.cn and the Interfree.it Botnet are linked together between some few hosters. Just check the available Afterglow visualization of the interaction between the two botnets.

I have generate some stats and graphs, with all the associated raw datas how are available here.