We further evaluate the overlap between the landing sites that point to the different malware distribution sites. To do so, we calculate the pairwise intersection between the sets of the landing sites pointing to each of the distribution sites in our data set. For a distribution network with a set of landing sites and network with the set of landing sites , the normalized pairwise intersection of the two networks, , is calculated as,
Where is the number of elements in the set . Interestingly, our results showed that of the distribution networks share at least one landing page. Figure 12 shows the normalized pair-wise landing sets intersection across these distribution networks. The graph reveals a strong overlap among the landing sites for the related network pairs. These results suggest that many landing sites are shared among multiple distribution networks. For example, in several cases we observed landing pages with multiple IFRAMEs linking to different malware distribution sites. Finally, we note that the sudden jump to a pair-wise score of one is mostly due to network pairs in which the landing sites for one network are a subset of those for the other network.
|
Niels Provos 2008-05-13