Wednesday, February 13, 2008

Statistics from a Malware Embedded Attack

It's all a matter of perspective. For instance, it's one thing to do unethical pen-testing on the RBN's infrastructure, and entirely another to ethically peek at the statistics for a sample malware embedded attack on of the hosts of a group that's sharing infrastructure with the RBN, namely UkrTeleGroup Ltd as well as Atrivo. For yet another time they didn't bother taking care of their directory permissions. Knowing the number of unique visits that were redirected to the malware embedded host, the browsers and OSs they were using in a combination with confirming the malware kit used could result in a rather accurate number of infected hosts per a campaign - an OSINT technique that given enough such stats are obtained an properly analyzed we'd easily come to a quantitative conclusion on a malware infected hosts per campaign/malware group in question.

In this particular case, 99% of the traffic for the last three days came from a single location that's using multiple IFRAMEs to make it hard to trace back the actual number of sites embedded since there's no obfuscation at the first level - vertuslkj.com/check/versionl.php?t=585 - (58.65.239.114) is also loading vertuslkj.com/n14041.htm and vertuslkj.com/n14042.htm. As for the countries where all the traffic was coming from, take a peek at the second screenshot. The big picture has to do with another operational intelligence approach, namely establishing the connections between the malicious hosts that participated in the compaign, in this case it's between groups known to have been exchanging infrastructure for a while.

No comments:

Post a Comment