honeyblog

As introduced in the precious entry about the paper "Modeling Botnet Propagation Using Time Zones" by Dagon et al., there are diurnal patterns in botnet propagation. I also examined this phenomenon back in August last year. My data set is by no means as comprehensive as theirs and my analysis is rather unsophisticated, but the results are similar.

One of my nepenthes sensors is running within a Class B network (/16 in CIDR notation) of a university. It is only reachable by hosts within this network and has no real connectivity to the Internet. It just serves as a kind of early-warning system to detect infected hosts within this network. Within the period of July 6 and August 15, 2005, the sensor observed 580 suspicious connections, i.e., infection attempts by other machines. The following figure shows the distribution of number of infection attempts per time of day.



As you can see, there are periods with less and periods with more connections attempts. Since the sensor is only reachable from machines within the same network, only those machines can cause infection attempts. This is important since all infection attempts are caused by computers in the same timezone, thus we do not have to take timeshifts into account. The distribution follows the sleep-wake rhythm of humans: during night (especially between 3 and 5:30 am), the sensor receives almost no infection attempts. In the morning (7 until 9 am), people turn on their computers and the malware begins to spread. There is a spike during the working hours between 2 and 6 pm – presumably corresponding to people who use their infected computer. Between 6 and 9 pm, we see again a period with rather low activity, in which only several people apparently use the computer. And before going to bed (around 10 pm), seemingly many people turn on their computer and connect to the Internet. The malware benefits from this situation and tries to spread further...

I also plotted the distribution over time, i.e., the number of infection attempts received per minute for the whole period:



There are days in which the sensor did not receive any suspicious traffic at all (e.g., July 17 and 18), but there are also periods in which we clearly see that a bot tries to spread aggressively since the sensor receives many infection attempts in a short amount of time. Especially the time between July 23 and July 31 is noticeable since several pieces of malware propagate within the network in this period of time. This is something that is hard to model since predicting the propagation attempts over time is hard - a new vulnerability can quickly lead to increased botnet propagation...

Another interesting paper from NDSS'06 is "Modeling Botnet Propagation Using Time Zones" by David Dagon, Cliff Zou, and Wenke Lee. They introduce a diurnal model of botnet propagation, i.e., a model which includes information about timezone and time of day to predict the propagation of a botnet. Real-world data verify this model and show that the time of day indeed influences botnet propagation. I also examined this phenomenon - more on that in the next blog entry...

Abstract
Time zones play an important and unexplored role in malware epidemics. To understand how time and location affect malware spread dynamics, we studied botnets, or large coordinated collections of victim machines (zombies) controlled by attackers. Over a six month period we observed dozens of botnets representing millions of victims. We noted diurnal properties in botnet activity, which we suspect occurs because victims turn their computers off at night. Through binary analysis, we also confirmed that some botnets demonstrated a bias in infecting regional populations.

Clearly, computers that are offline are not infectious, and any regional bias in infections will affect the overall growth of the botnet. We therefore created a diurnal propagation model. The model uses diurnal shaping functions to capture regional variations in online vulnerable populations.

The diurnal model also lets one compare propagation rates for different botnets, and prioritize response. Because of variations in release times and diurnal shaping functions particular to an infection, botnets released later in time may actually surpass other botnets that have an advanced start. Since response times for malware outbreaks is now measured in hours, being able to predict short-term propagation dynamics lets us allocate resources more intelligently. We
used empirical data from botnets to evaluate the analytical model.

The second part of the article on "Malicious Malware: Attacking the Attackers" is now available at securityfocus.