So I spend a lot of my time figuring out ways to better detect some of the newer bot/malware variants in enterprise environments. Part of what I do, when I have time, is to pull down some malware and analyze it. By analyzing it and looking at network traffic, peers, etc... it is possible to build up signatures to detect the latest variant. Nothing groundbreaking and horribly reactive. This seems to be the only way to really detect it on the network. Automation is getting harder and harder and requires more and more human interaction as the malware evolves.
Anyway, I was modifying a script to pull down the latest variant from a known domain that hosts the malware. It seems that I downloaded one too many in a too short a period of time. Storm DOS'ed me. :) It's still going on from a few IP Addresses, nothing too impressive, probably more of a warning than anything.
So looking at some data from December 25th (I performed 14500+ lookups on merrychristmasdude.com. Careful, this is still a live domain) I mapped the IP to it's geographic region.
The previous day there were only about 1000 unique IP Addresses being used to host this domain. The geographic spread is interesting. The USA has the dubious honor of having the most infected hosts. These numbers can be skewed by many outside factors including the time I performed the lookups in relation to the time that the latest spam email containing links to the malware was released. (Some people were still sleeping :))
Here are the top 25 countries from that dataset:
Hong Kong 79
United Kingdom 137
Russian Federation 198
Korea, Republic of 814
Unknown 3208 [These 'unknown' IP Addresses were not in the GeoIP database I used]
United States 6427
Doing reverse lookups on the IP Addresses show most to be home DSL/Cable modem users. When will people learn that the email is not from a friend? Heh. Oh well.