Throughout our measurement
period we detected
malware distribution sites. In
of
the cases each site is hosted on a single IP address. The remaining
sites are hosted on IP addresses that host multiple malware
distribution sites. Our results show IP addresses that hosted up to
malware distribution sites. Closer inspection revealed that
these addresses refer to public hosting servers that allow users to
create their own accounts. These accounts appear as sub-folders of the
the virtual hosting server DNS name (e.g., 512j.com/akgy,
512j.com/alavin, 512j.com/anti) or in many cases as
separate DNS aliases that resolve to the IP address of the hosting
server. We also observed several cases where the hosting server is a
public blog that allows users to have their own pages (e.g.,
mihanblog.com/abadan2, mihanblog.com/askbox).
Figure 12:
CDF of the normalized pairwise intersection between landing
sites across distribution networks.
|
Niels Provos
2008-05-13