Visualizations can often show researchers details that would otherwise take hours of staring at raw data to find. WORM_DOWNAD.KK has plenty to show us if we look in the right places. This post focuses on the various P2P channels.
The first set of graphs map each IP address (source and destination) found in the source pcap file onto a grid. Each IP address is first split into its 4 octets (A.B.C.D). The octets are plotted as points on each of the four vertical lines. Working from from left to right these lines align to an octet (A.B.C.D). Zero at the top, 255 at the bottom. The points are then connected with a line. The color of the line indicates the value range of the starting octet. Green for 0-64, Blue for 65-128, Pink for 129-192 and Yellow for 193-255. Each Graph shows a 1-hour snapshot of data.
This image shows a 1-hour sample taken from an uninfected LAN carrying normal office traffic. You can see a number of addresses and even follow most of the lines. Multiple appearances of the same address are plotted as one line:
Figure 1. 1 hour of normal LAN traffic
Things get more interesting when we plot WORM_DOWNAD.KK traffic. This graph is 1-hour traffic from a single system infected with WORM_DOWNAD.KK. Note the difference between the first and second graph. We can clearly see that the IP selection algorithm generates a complex distribution that provides thorough coverage of each IP octet:
Figure 2. 1 hour of WORM_DOWNAD.KK P2P traffic)
It is interesting see the IP space that WORM_DOWNAD.KK is programmed to avoid. We know WORM_DOWNAD.KK contains a black-list of /8 CIDR ranges that it will not transmit P2P traffic to. (/8 indicating that only the first octet “A” is significant). The /8s not scanned by the P2P protocol are 0, 1, 2, 5, 10, 14, 23, 27, 31, 36, 37, 39, 42, 46, 49, 50,100-109,127, 175-185, 191, 197, and 223 – 255. You can clearly see 4 gaps on the “A” line. These gaps match very well with the known list, 0-5 at the top, 100-109 (Blue) 175-185 (Pink) and 223-255 at the bottom. If you zoom in you will also see that the Green section (0- 64) is more spotty than the other colors, which tends to agree with what we know about the blocklist.
