sudosecure.net

I had completely rewritten my Fast Flux tracking scripts a few weeks ago, and have finally found the time to write a new web interface for the statistics and data I am gathering with these new scripts.  There are some interesting statistics  in all this data being generated that contradicts some of my initial thoughts on the Waledac Trojan, such as which country I was seeing the most infections for.  I originally had thought the United States was leading the way, but today’s data snapshot shows China out in front, followed by the Republic of Korea, and then the United States.  Here is a nice little GChart showing the top 10 Countries by IP count generated by my new Waledac Tracking Web Interface to demonstrate this.

Obviously this data could change as more hosts are indexed, but I found it interesting none the less.

It appears that the non NATed Waledac Trojan infected nodes serve three main functions: Web Proxy, DNS, and Spam Template relays.  Since these non NATed nodes can serve as both a DNS server and a domain destination I thought it would be interesting to separate out the Name Server IP addresses from the normal domain IP addresses.  Basically what I did when I revamped the back end tracking scripts was separate the NS records from the A records, which provided a very different statistical distribution than I would have initially guessed.  I originally would have guessed that the Name Server IP addresses would have been a lot less statistically distributed than the Domain IP addresses in this Double Fast Flux network.

As you can see my guess was wrong and the distribution of Name Servers IPs is right in-line with the distribution of Domain IPs with China leading the way, The Republic of Korea following in second place, and then finally the United States in third place.  All of these Countries seem to show about the same number of NS records as they do A records.  It would appear based on these numbers that the Waledac Trojan authors distribute both NS record and A record changes/rotations evenly throughout their botnet distribution.

Now for a little more information about the web interface I wrote to summarize and share this data with the public.  The major design objective I strived to achieve was to allow anyone to view the overall statistics in summarized table formats, with the ability to drill down and/or search out targeted interesting views as they saw fit.  Almost every table being displayed in this web interface has the ability to be searched with a text input field and the drop down box at the top of every page.  There are no wild cards per say, but all search strings are matched in a loose manner.  Let me explain this with an example.  Lets say you own the following Class C IP space “221.226.85.0/24″ and wanted to see if my data set contained any of your nodes.  You can enter “221.226.85″ into the search field like this:

Click the “Submit Query” button and your results should look something like this:

This type of “loose” matching is not just for IP address ranges, and can be performed on any of the drop down fields for you convenience.  Another feature I tried to accommodate was the ability to drill down on data via clicking individual fields.  Any field that is underlined and in bold face type can be clicked on to drill down on that particular piece of data providing a more targeted view.  This can be handy for drilling down on Counties, Regions, Cities, and/or ASNs.

The last portion of the web interface I want to go over is the Menu at the top of every page, which looks like this:

Here is a little overview of what each section can provide you.

• Tracker Summary – This is the index page or summary view of the data in the database.  You will find GCharts, Most Seen Statistics, and Last Seen Statistics on this page.  Many of the fields allow for you to click through to drill down into the highlighted statistic quickly and easily.
• Binaries – Waledac Trojan Binary Data Statistics and Summaries
  • Harvested – Summary data of all the binaries retrieved default sorted by last seen date.
  • Activity – Summary data of binaries retrieved grouped by IP and sorted by number of binaries retrieved from a particular IP address.
  • Names – Summary data based on the binaries name and sorted by the last date seen.
  • Longevity – This data represents the current life span of an IP. This number is based on the number of days seen between an IP’s first seen date and it’s last seen date.
• Fast Flux IPs -Waledac Trojan A record Nodes Data Statistics and Summaries
  • Harvested – Summary data of all the IPs and their associated information specifics sorted by the last seen date.
  • Activity – Summary data of all the IPs and their associated information specifics sorted by the number of times seen.
  • Domains – Summary data of all the Domains and their associated statistical summary information sorted by last seen date.
  • Countries – Summary data of all the Countries and their associated statistical summary information sorted by number of times seen.
  • ASNs – Summary data of all the ASNs and their associated statistical summary information sorted by number of times seen.
  • Longevity – This data represents the current life span of an IP.  This number is based on the number of days seen between an IP’s first seen date and it’s last seen date.
• Name Server IPs – Waledac Trojan Name Server Nodes Data Statistics and Summaries
  • Harvested -Summary data of all the IPs and their associated information specifics sorted by the last seen date.
  • Activity – Summary data of all the IPs and their associated information specifics sorted by the number of times seen.
  • Domains – Summary data of all the Domains and their associated statistical summary information sorted by the last seen date.
  • Countries – Summary data of all the Countries and their associated statistical summary information sorted by number of times seen.
  • ASNs – Summary data of all the ASNs and their associated statistical summary information sorted by number of times seen.
  • Longevity – This data represents the current life span of an IP.  This number is based on the number of days seen between an IP’s first seen date and it’s last seen date.
  • Name Servers – Summary data of all the Name Servers and their associated statistical summary information sorted by the number of times seen.

That is a basic overview of what is available via the new Waledac Trojan Tracking Web Interface, and I am always open to suggestions if your not seeing a statistic that would be of some use to you.  I do have a few more modifications or updates that I would like to implement the next chance I get, but I figured that the interface was complete enough to go ahead and make it publicly available.  As always if you have any questions or comments feel free to leave them here or hit me up via email.

Disclaimer:

This data is collected by dumb scripts and may or may not be 100% accurate.  If you have any issues with the data feel free to contact me, and I may choose to fix the issue or may choose not to fix the issue, as it depends on whether or not I feel your request is valid and/or pertinent.  When using this data please understand that some IP ranges utilize things like DHCP, and could cause issues with the accuracy of the data contained with in this data set.  Just because an IP is listed here, does not with a 100% sure accuracy deem that it is infected with the Waledac Trojan.  I have attempted to make this data as accurate as possible, but like all things in life I am not perfect and don’t claim to be.   This data also does not represent the true size or complete Waledac botnet, as I can not reach out to NATed Spamming nodes.  This data is offered “as is” with no guarantees or warranties, expressed or implied, as to the accuracy, reliability or completeness of the furnished data.  I reserve all rights to the availability of this data and will block anyone that is attempting to automate the retrieval of this data.  If you would like an automated solution for retrieving this data contact me and we may be able to come up with a way to meet your needs.