Geographic Distribution of Malware

I volunteered to give a talk to the University of Cambridge Computer Lab yesterday. The talk was about how different countries "specialize" in different sorts of malware - or, to be slightly more accurate, show up in our database from different feeds.

I created a number of graphs to show what I meant and I think they are interesting enough that it is worth showing them here too. All the data was derived from the same single query of our threat database on Monday November 15th of bad IP addresses that were active in the past week i.e. Nov 8th-15th. I then used the November version of MaxMind's Geolite country database to associate these addresses with their country of origin and grouped some of the various feeds together (e.g. combining our four 'bot specific feeds) into categories. Finally I cherry-picked a number of interesting countries out of the 200+ different ones to make pie charts by threat category of the share of these countries in the total. These graphs, do I believe, show some interesting differences as different types of malware seems to frequently have different sources.

Firstly here is a chart of the total of all threats (click on charts to enlarge).

Total bad ip addresses for selected countries

As can be seen the United States is the number one problem, providing over 50% of all active bad IP addresses. However it must be noted that the US has far more IP addresses of any sort (good or bad) than any other country. Unsurprisingly the "Bogeyman" counties of Eastern Europe and Asia seem to "punch above their weight" in terms of the ratio of bad to total IP addresses.

In other nations it is notable that Japan seems to be remarkably well behaved while Germany is rather worse than might be expected - being about as bad as the UK, France and Italy combined in terms of bad IP addresses whereas it has less than half the IP addresses

The Dshield lists, which tend to be more focused on inbound attacks show a rather different picture

IP addresses on the DShield lists for selected countries

While, as always, the US is a major source, the People's Republic of China is the worst country here, with other Asian nations also taking up larger slices of the pie than might be expected. Something similar is notable in the "server cracker" category - the IP addresses that seek (primarily SSH) passwords to crack.

Password crackers from selected countries

However in this list we see that (South) Korea is a relatively major player, given its comparatively small size as a nation.

Finally on the "inbound" side lets take a look at the SPAMhaus DROP feed which lists networks (rather than IP addresses) to block because they originate Spam and other malware:

Spamhaus DROP list networks for selected countries

This list shows the "strength" of Eastern Europe for the first time. Romania, Russia and Ukraine make up about 50% of the entire list.

Something similar is visible as we move to "outbound" attacks by looking at the IP addresses of Botnet C&C hosts. Although the US, and Western European nations such as the UK, France and Germany, also make a significant contribution Eastern Europe continues to provide a lot of badness.

Botnet C&C Hosts in selected countries

It is interesting that the Asian nations are for the most part absent from this list.

Phish/malware drop addresses for selected countries

Finally the hosts that are known as Phish sites and/or sites the drop malware on visitors shows quite a similar distribution to the Botnet C&C list. Indeed we have noticed that there is considerable overlap between the lists of Botnet C&C hosts and of Phish/Malware Dropper sites.

Share this: