Malicious Activity

Cras interdum blandit commodo. Vivamus finibus augue id nisi convallis, eget tincidunt odio lobortis. Cras pellentesque nunc a felis convallis finibus. Quisque dapibus vel tortor vel fringilla. Sed vel enim non justo blandit ullamcorper. Cras fermentum semper ipsum, gravida mollis dolor luctus at. Suspendisse dapibus egestas tincidunt. Quisque hendrerit vitae libero vitae ultricies. Vivamus pretium tincidunt felis, id faucibus orci congue sit amet. Nulla eget malesuada erat, sagittis suscipit eros. Aenean sed mauris sollicitudin lorem iaculis ultricies. Donec ut nulla nibh. Maecenas eu pellentesque risus. Nullam mollis tincidunt leo quis scelerisque. Morbi sit amet ante gravida, elementum velit in, cursus dui. Integer sed molestie turpis.

Internet Malicious Activity Maps

We have built a number of different maps of malicious activity seen on the Internet from our various data donors and sources. These maps are updated daily, showing summaries of malicious activity seen over various recent periods of time. Intensity on the maps is shown in "heatmap" style, with the color gradient looking roughly as follows:

Less Malicious Activity Color Gradient More Malicious Activity


World Map

The first map shows one day's worth of malicious activity, plotted on a world map. Note that IP geolocation techniques are not perfect, so these locations are only approximations. Additionally, the real individuals behind the malicious activity represented could be far away from any of the displayed locations, controlling these compromised systems remotely.

This map is also available in movie form - you can download it in one of the following formats:

The movie versions are updated every day along with the image below.

Recent malicious activity, world map

Thanks to NASA for the world map base image.


Hilbert Map

The next map below represents a summary of malicious activity seen on the Internet over the past 30 days combined. The IP space is mapped into this image using a Hilbert Curve. The numbers in the upper left-hand corner of each block of the map indicate the first octet of the IP addresses represented in that section, so, for example, the block labeled "24" represents all of the IP addresses in the 24.0.0.0/8 netblock.

Blocks with orange numbers and cross-hatching are full /8 networks that are bogons, unallocated space which should never be seen on the Internet. Non-bogon blocks blocks are displayed with red numbers.

The map below is a half-size version to avoid breaking the layout of the web page and making it impossible to read - click on the image to open the full-sized version of the map in a new browser window/tab.

Each individual pixel of the full map represents 4096 IP addresses. The coloration of the map is scaled in "heatmap" style - if no IP addresses from the block represented by a given pixel were found in our dataset of malicious activity, it will remain black. If any addresses were found, the pixel will be shaded based on the number, starting with blue, transitioning through purple, green, yellow, orange, red, and, finally, to white for the largest concentrations of malicious activity.

Internet Malicious Activity Map - Click for full version

Credit for the idea of this mapping concept goes to xkcd, and their Map of the Internet. The Measurement Factory has also created similar visualizations of differing data sets using this technique.

Thanks and credit for the data that backs all of these maps goes out to a wide range of donors and supporters of Team Cymru, and the Internet community for their support of our efforts to keep their networks more safe and secure.


Malicious Activity Movies


Machbot heatmap image

To help visualize the movement of malicious activity throughout the Internet, we have created several movies. They are similar to the heatmap-style image above - white areas indicate the "hottest", or largest concentration of the item being mapped, while blue areas are "coldest", or lowest non-zero concentrations. The maps show the movement of various types of malicious activity over time.

Please note that these movies each represent a single window in time, as described below, and are not being automatically updated. Additionally, locations are based on a best effort using several sources of information to geolocate individual IP addresses - IP geolocation is never perfect, but we believe the general geographies to be accurate in these maps.

These movies are all in Quicktime format, and can be downloaded using the links below. Enjoy!

11 days of the Machbot Botnet

This movie reflects 11 days of victim IPs connecting to a Machbot Command and Control server in February 2008. The victims connect to the control server to update their status and receive commands. This particular Machbot has an exceptionally high infection rate in Eastern Europe. We are currently working together with Law Enforcement on this particular case.

Download 11 days of the Machbot Botnet (128kB)

HTTP Command and Control server locations

This movie reflects the locations of HTTP-based botnet Command and Control servers we have seen between December 2007 and April 2008. HTTP-based C&Cs provide instructions to bots via HTTP GET and POST requests, which can hide among the large amount of HTTP traffic on the Internet more easily than IRC C&C communications.

Download HTTP Command and Control server locations (1.2MB)

IRC Command and Control server locations

This movie represents the locations of IRC Command and Control servers we have seen between May 2005 and April 2008. IRC is an "oldie but goodie" when it comes to controlling botnets - IRC has been used for C&C servers for a long time, and that's not likely to change any time soon.

Download IRC Command and Control server locations (6.3MB)

For a frequently updated view of the locations of IRC C&C servers we are actively monitoring, take a look at our IRC C&C Map.

HTTP Command and Control attack targets

This movie represent the locations of the targets of HTTP botnet command and control DDoS attack commands we have seen between 29th of February 2008 and the 5th of May 2008. HTTP C&Cs may be newer than IRC, but they can still pack a significant punch!

Download HTTP Command and Control attack targets (390kB)

SQL Injection activity

This movie represents the activity of a SQL injection host. The host involved was responsible for the infection of thousands of websites in just a number of days. In the first part of the movie, the activity to and from the host is visible. In this particular case the activity is mainly from Japan, China and Taiwan prior to the attack. On the 12th of April 2008 the host started to infect websites around the world with malicious code. The time period between the 12th of April and 23th of April shows an accumulative view of the infected websites.

Download SQL Injection activity (1.9MB)