<<<
NEWS FROM THE LAB - Friday, July 4, 2008
>>>
 

 
Google Earth Downloads Posted by Sean @ 14:08 GMT

Happy Independence Day USA.

Fireworks Spam

Our use of Google Earth was a weblog topic several weeks ago. We've been working on additional features since then.

There were a few questions asked in the comments section.

Question —
I like maps like these (I like maps in general). But � and I'm asking this out of curiosity, not because I'm criticising your work – does it add something to anti-malware research?

Answer —
The map's data source comes from our statistics server, which is very useful in our forecasting efforts. Analyzing the numbers helps drive the direction of our research.

The application of the data to Google Earth adds to our presentation and education efforts. Actually seeing a real-time view of malware in the world really helps lab visitors understand the threat scope. The live world map also shows real-time spikes in malware traffic and assists our shift managers.

Question —
Are we able to subscribe to these feeds?

Answer —
Unfortunately the public is unable to subscribe to the feeds. The data contains IP addresses and because those IP address are the source of spam, malware, et cetera — that means there are infected computers on the other end. Infected computers are vulnerable to further exploitation.

One of the ways to build a botnet is to hijack someone else's.

We also consider IP addresses to be personal data.

Phishing in Fairbanks
Click the image for a 1400x1050 view.

So because you can't subscribe to the feeds, we've created an offline KML file that you can download and import into your own installation of Google Earth. We've sanitized the IP addresses to 0.0.0.0.

Here's the data from today, 20080704.KML.

Legend:

Google Earth Legend

GeoIP conversion can be very helpful. The Warezov botnet uses fast-fluxing techniques with domain names registered in China. Sending abuse messages regarding the domains is fairly pointless. New domains quickly replace any that are actually taken down.

Locating the infected servers is more useful. The last time we analyzed our Warezov pharmacy site hosts lists, we found 397 unique domains online. Those 397 domains resolved to 76 unique IP address, 40 of which are located in the United States according to GeoIP. That list of 76 addresses is a much better target of abuse.

Warezov pharmacy website hosts KML file. Seattle is infested…

Warezov bots in Seattle

Just out of curiosity, we can also do other things with GeoIP conversions such as determine where our readership resides, e.g. we converted the IP addresses of those that answered our recent browser poll.

KML files can be viewed via Google Earth or they can be imported into Google Maps.

Google Maps - Weblog Poll Respondents