< Blog.Worm | A Crawler-based Study of Spyware on the Web >

Distribution of Filesize

The following picture shows the distribution of filesize in kilobytes for about 14,000 unique malware samples I have collected during the last few months. Uniqueness is defined in this context as "unique md5sum".

Distribution of filesize


As you can see, there are several spikes, mainly around 190KB, 45 KB, and 10 KB. The picture only shows the filesize between 0 and 250 KB. nepentes also captured some rather large bots (> 1MB) - I wonder how long it takes to infect a computer hanging on a modem line with such a large bot...

If you are interested in samples, please contact me at thorsten [dot] holz [at] gmail.com
This entry was posted by Thorsten Holz on Monday, January 30. 2006 at 17:22. and is filed under honeynets. You can leave a response, or trackback from your own blog.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

  1. jose says:
    #1 2006-01-30 20:33 (Reply)

    thorsten, did you unique them for actual code? ie do you have polymorphic variants in some cases which artifically raise the spike based on MD5? (same code, just slightly different packing which leads to a different MD5)


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA