Interesting Pattern in Storm Worm Traffic
Björn Weiland recently sent me a few graphs with interesting observations he made when tracking the Storm Worm botnet as part of his thesis on detection of advanced botnets.
The first graph visualizes the network communication of a Storm sample when executed on a machine with a private IP address. In that configuration, the bot typically sends out spam e-mails or participates in distributed denial-of-service attacks. The x-axis shows the time, while the y-axis shows the UDP/TCP destination port number the bot communicates on:
The graph shows that the bot first uses NTP to synchronize the clock of the victim's machine. Afterwards, it contacts many other machines, typically on TCP ports < 33.789 (strange port number?!?). After a few minutes, it also starts with spamming (lots of connections on TCP port 25). What is interesting are all the communications that happen on higher port numbers: we can, for example, identify an IP address hosted at Intercage. This IP address is part of the static backend of the botnet. In addition, an IP address related to the University of California in San Diego (UCSD) sticks out, presumably related to their Storm Worm research. I'm not yet sure what all the other IP addresses mean, but presumably all of them are also suspicious and somehow related to the botnet.
The second graph shows the network communication of a sample executed on a machine with a public IP address. In this configuration, the bot is typically used to relay messages or host services related to the botnet. Again, the x-axis depicts a timeline, whereas the y-axis show the TCP / UDP destination port number:
Here we can observe a completely different pattern compared to the first graph. Overall, the full port range is used, with some more dense and some more sparse parts. We can also observe more TCP communication and also quite a lot communication on TCP port 80, which is related to the web sites hosted by the botnet.
The port range between destination port 50,000 and 51,000 is far more dense compared to lower / higher ports as the following figure shows:
This port range is commonly used for RTP / RTCP as defined in RFC 4504 - presumably just a coincidence for Storm Worm.
Does anybody have an explanation for the distribution of destination ports used by Storm Worm? And thanks a lot to Björn for the permission to publish the figures!
The first graph visualizes the network communication of a Storm sample when executed on a machine with a private IP address. In that configuration, the bot typically sends out spam e-mails or participates in distributed denial-of-service attacks. The x-axis shows the time, while the y-axis shows the UDP/TCP destination port number the bot communicates on:
The graph shows that the bot first uses NTP to synchronize the clock of the victim's machine. Afterwards, it contacts many other machines, typically on TCP ports < 33.789 (strange port number?!?). After a few minutes, it also starts with spamming (lots of connections on TCP port 25). What is interesting are all the communications that happen on higher port numbers: we can, for example, identify an IP address hosted at Intercage. This IP address is part of the static backend of the botnet. In addition, an IP address related to the University of California in San Diego (UCSD) sticks out, presumably related to their Storm Worm research. I'm not yet sure what all the other IP addresses mean, but presumably all of them are also suspicious and somehow related to the botnet.
The second graph shows the network communication of a sample executed on a machine with a public IP address. In this configuration, the bot is typically used to relay messages or host services related to the botnet. Again, the x-axis depicts a timeline, whereas the y-axis show the TCP / UDP destination port number:
Here we can observe a completely different pattern compared to the first graph. Overall, the full port range is used, with some more dense and some more sparse parts. We can also observe more TCP communication and also quite a lot communication on TCP port 80, which is related to the web sites hosted by the botnet.
The port range between destination port 50,000 and 51,000 is far more dense compared to lower / higher ports as the following figure shows:
This port range is commonly used for RTP / RTCP as defined in RFC 4504 - presumably just a coincidence for Storm Worm.
Does anybody have an explanation for the distribution of destination ports used by Storm Worm? And thanks a lot to Björn for the permission to publish the figures!
".
