Botnet Victims Map

Applications Web Development
1

Our site is currently "under abuse" from a botnet which is directing a small subset of internet users (not forum users) to a rarely used full page advertising URL and attempting to redirect the user, via that URL to other web sites. This is a kind of "spam" botnet; using a URL redirection method. This does not effect our regular forum members (except that it does increase the server load average).

Prior to discovery, most of these redirection URLs would result in a blank page (no ad) to the "outside user" because we are not using that ad campaign at the moment. However, after discovery of this botnet, we simply redirected the botnet "victims" to our Facebook page (to move them off the server, decrease server load, and extract some statistics about each botnet node).

Today, I wrote a small program to collect the IP addresses of each node of the botnet and perform some analysis by unique IP and country, etc. After this code runs for a while I will update this thread with these ongoing stats:

  1. total ips 3321
  2. unique ips 820
  3. unique countries 59

When the stats above stabilize a bit (unique IPs do not change often and countries are also "stable"), I will extract the longitude and latitude information for each IP from our geoip database and use the Google Map Engine to display the botnet on a global map.

Stay tuned for the pretty picture of this botnet :slight_smile:

At the end of this posting time:

  • total ips 3780
  • unique ips 862
  • unique countries 60
9 Likes
2

Neo, you are awesome. :slight_smile:

Thanks,
R. Singh

3

I know :wink: (Joking)

Thanks for the kind words; it's always nice to hear them :smiley:

  • total ips 4111
  • unique ips 903
  • unique countries 62
4

Update on Botnet stats from around two hours ago:

  • total ips 9938
  • unique ips 1415
  • unique countries 76
5

And the botnet keeps getting (tracking) bigger now over 3760 nodes spanning 99 countries and still growing (in our logs):

  • total ips 68725
  • unique ips 3761
  • unique countries 99
6

Here are the first 2750 nodes of this botnet plotted with Google Maps Engine. You can click on the image to go directly to the map:

7

OK, updated our GeoIP database and changed mapping code to plot 4214 botnet nodes:

1 Like
8

A couple of notes:

Our Google Maps Engine account only permits 2000 nodes per layer.

Current stats for botnet:

  • total ips 91100
  • unique ips 4262
  • unique countries 104

Will plot again on a new map; and will also create a new map clustered by country and number of nodes (unique ip addresses) per country.

9

Google Maps refuses to even show me that big a map unless I pay money. :frowning:

10

It works fine for me when I use a browser that is not logged into a Google account.

There is no fee to view this map.

I also checked with a Tor browser, and can view the map easily (but of course the Tor browser bundle is very slow!)

11

Not here, sadly. It stops complaining when I log out, but the map doesn't get any better. It can't be showing anywhere near 4,000 points -- not even 40. And yes, I've been toggling the layers.

12

I think you are logged into your Google account? Maybe you can try using a browser that is not logged into a Google account.

I tried this with FF, Safair and Tor, all "not logged into Google" and it works fine.

13

I made sure I wasn't logged in... Maybe it's just perceptual.

14

Hmm. After reviewing my code, I realize that the map is actually of the "botnet victims" versus the actual botnet nodes; as I should have used the IP address from the PHP superglobal $_SERVER['HTTP_REFERER'] versus the $_SERVER['REMOTE_ADDR'] .... so will have to rewrite the code if I want to extract the IP address from the referring URL.

So, for now "Botnet Map" should read "Botnet Victims Map" ..

15

It's very nice of you to offer this free service to the botnetters :smiley:

16

Haha.... maybe we should charge them in bitcoin :eek:

I rewrote the code to go to use the PHP superglobal $_SERVER['HTTP_REFERER'] to identify and map the botnet nodes.

.. and will rename this thread "Botnet Victims Map"

17

The map works fine for me and I did not log out from my google account. It wanted me to enter my password again and I did. It did offer me some upgrade option... I declined.

As I zoomed around I noticed that there is a dot in Ashburn Virginia. It looks like it is only 2 or 3 miles away from me. I wonder if it's anyone I know. :slight_smile:

Does anyone else have a neighbor on the map?

1 Like