sudosecure.net

Now that I have collected quite a bit of data for the Waledac botnet, I thought it would be interesting to see if I could visualize this data in a meaningful way.  Visualizing data has really taken off in the last few years especially when looking at network flows and it can reveal some really interesting characteristics that may not be all that apparent when data is presented in tabular format or with charts.  All of the graphs or visualizations I am posting today were generated using a combination of the Afterglow.pl script and the Graphviz command line tools.  Another note these graphs generated were extremely large in file size, so I took JPG snapshots of these graphs and placed them in this post to aid in page loading speeds. The more detailed graphs are linked via the images to PDF files that can be downloaded to zoom in for a more detailed view.

The first relationship I took a look at was IP addresses -> Name Servers -> Domain Names.  The density of red nodes for each clover visually depicts the number of IP addresses associated with a specific Waledac domain name.  The density of red nodes for each leaf in the clovers depicts the number of IP addresses associated to a specific Name Server within that Waledac domain.  As you can see some Waledac Domain names are more popular than others.  Another interesting characteristic demonstrated by this graph is that there are some Name Servers that are a little more popular than others for a few domain name’s being utilized by Waledac, but overall IP addresses within each domain appear to be fairly evenly distributed between Name Servers.  The last characteristic I would like to point out is that the blue rectangles depict the Name Servers within each domain name, and if you count them their are exactly 6 Name Servers for every Waledac domain name.

The next view I looked at was the reverse of the previous view: Domain Name -> Name Server -> IP.  This should result in about the same overall graph, but it reverses the colors and clearly demonstrates that there are in fact 6 Name Servers for every Domain Name.  The Blue rectangles are the Waledac Name Servers and by reversing the colors the IPs are now in a neutral color making the Name Servers easier to count.

The next data set relationship I looked at was IP -> ASN -> Country.  The higher density of red nodes in a clover represents a larger number of IPs seen in a particular country.  If you focus in on the individual clovers the density of red nodes in relation to the density of blue rectangles depicts the number of IPs seen per ASN.  If nothing else, this graph represents another view point into the Waledac botnet IP distribution per ASN and Country.

Now lets take a look inside of some of the more popular Waledac domain names according to my Waledac Tracker data set in the relationship of Domain Name -> Name Server -> IP Addresses.  The next three graphs are ordered by domain names: yourregards.com, yourchristmaslights.com, and newlifeyearsite.com.  When I pulled these data sets they were the top 3 domain names based off IP address counts.  The interesting visual correlation that can be seen within these graphs are the number of IP addresses in relation to each Name Server for that domain.  The larger the red circle the more IP addresses are associated with a name server, which makes it easy to see that it had appeared with the above clover leaf clusters that the IPs were evenly distributed when in fact there are some differences.

yourregards.com

yourchristmaslights.com

newlifeyearsite.com

This last graph I generated really does not mean a whole lot per say, but I think it looked pretty interesting so I went ahead and posted it for your viewing pleasure.  Its relation is based off my binary tracking scripts that retrieve Waledac binaries every 30 minutes: Binary Name -> IP.  Again not real meaningfull, but it sure looks cool.

Well I hope you enjoyed the graphs, and as always if you have any questions or comments feel free to either leave them here via a comment or email me anytime.