< Call for Paper: 1st Workshop on Large-scale Exploits and Emergent Threats (LEET '08) | Network Visualization >

Storm Worm Visualization

In the past few days, Storm was rather calm - most mails sent by this botnet were related to stock spam. Furthermore, the websites that host the actual malware sample currently do not have any content: they serve the usual file (sony.exe), but no HTML page is returned by the server.

Back in October, I created an ipmap, a 2D visualizations of IP address space similar to the map of the Internet, of the Storm network:



Each white dot depicts a /24 network in which at least one IP address is infected with Storm Worm. The picture shows that the distribution of the malware is scattered, with some netblock clearly dominating. These netblocks are usually dial-up networks from the US.
This entry was posted by Thorsten Holz on Thursday, November 29. 2007 at 09:04. and is filed under malware. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

  1. Nick Black says:
    #1 2008-02-02 07:51 (Reply)

    [ 19] Encrypted Storm Publicize (Advertises 51.92.155.134:3456)
    [ 35] 134.155.92.51:3456 -> 216.27.163.5:7777 a8eb:5754

    I think you've got an endianness bug in your publicize TX, Mr. Holz.


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.