[ Team Cymru Community Services ] [ Team Cymru Commercial Services ] [ Dragon Research Group ]
Team Cymru in the UK: TC-UK INTERNET SECURITY YouTube RSS Feed Twitter

Malicious Activity Movies


Machbot heatmap image

To help visualize the movement of malicious activity throughout the Internet, we have created several movies. They are similar to the heatmap-style image above - white areas indicate the "hottest", or largest concentration of the item being mapped, while blue areas are "coldest", or lowest non-zero concentrations. The maps show the movement of various types of malicious activity over time.

Please note that these movies each represent a single window in time, as described below, and are not being automatically updated. Additionally, locations are based on a best effort using several sources of information to geolocate individual IP addresses - IP geolocation is never perfect, but we believe the general geographies to be accurate in these maps.

These movies are all in Quicktime format, and can be downloaded using the links below. Enjoy!

11 days of the Machbot Botnet

This movie reflects 11 days of victim IPs connecting to a Machbot Command and Control server in February 2008. The victims connect to the control server to update their status and receive commands. This particular Machbot has an exceptionally high infection rate in Eastern Europe. We are currently working together with Law Enforcement on this particular case.

Download 11 days of the Machbot Botnet (128kB)

HTTP Command and Control server locations

This movie reflects the locations of HTTP-based botnet Command and Control servers we have seen between December 2007 and April 2008. HTTP-based C&Cs provide instructions to bots via HTTP GET and POST requests, which can hide among the large amount of HTTP traffic on the Internet more easily than IRC C&C communications.

Download HTTP Command and Control server locations (1.2MB)

IRC Command and Control server locations

This movie represents the locations of IRC Command and Control servers we have seen between May 2005 and April 2008. IRC is an "oldie but goodie" when it comes to controlling botnets - IRC has been used for C&C servers for a long time, and that's not likely to change any time soon.

Download IRC Command and Control server locations (6.3MB)

For a frequently updated view of the locations of IRC C&C servers we are actively monitoring, take a look at our IRC C&C Map.

HTTP Command and Control attack targets

This movie represent the locations of the targets of HTTP botnet command and control DDoS attack commands we have seen between 29th of February 2008 and the 5th of May 2008. HTTP C&Cs may be newer than IRC, but they can still pack a significant punch!

Download HTTP Command and Control attack targets (390kB)

SQL Injection activity

This movie represents the activity of a SQL injection host. The host involved was responsible for the infection of thousands of websites in just a number of days. In the first part of the movie, the activity to and from the host is visible. In this particular case the activity is mainly from Japan, China and Taiwan prior to the attack. On the 12th of April 2008 the host started to infect websites around the world with malicious code. The time period between the 12th of April and 23th of April shows an accumulative view of the infected websites.

Download SQL Injection activity (1.9MB)


Team Cymru Community Services