Security Research
Showing results for 
Search instead for 
Do you mean 

Botnet Hunting with ZMap - Continuing the Hunt!

spovolny on ‎03-05-2014 09:44 AM

Credit: Ricky “HeadlessZeke” Lawshae


Last month, I wrote about a new approach to Mapping and Quantifying Botnet Infections using internet-scale port scanners like ZMap. I have since performed a follow-up scan, and wanted to share what we learned by comparing the results of the two scans.


Two Steps Forward; One Step Back

For the most part, things appear to have gotten better. Four out of five of the ports that Zero Access listens on saw fairly significant drops in the number of infected hosts responding to my probes, with port 14671 shedding an impressive 1500 hosts. The only exception was port 16464, which inexplicably went up slightly since last month.



Infected Hosts in Scan 1

Infected Hosts in Scan 2


























Total Unique Hosts





The same was true when the list was broken down by ISP. While the top 10 stayed mostly the same, there were decreases almost across the board. Comcast killed more than 270 infected hosts, or about 27% of its total, and some companies like BSNL and Korea Telecom decreased by around half. But then companies like Cantv, a Venezuelan telecom, saw significant gains in infection rates (Cantv is now sixth on the list of most infected, compared to twelfth last month). This data shows that while there is an overall trend in the positive direction, it is far from universal.


And Speaking of Venezuela

Infection rates increased in almost every South American country. Chile went up by 21, Argentina by 61, and Venezuela went up by an impressive 80. While a couple of countries appear ostensibly to be infection free now, new ones are starting to pop up like Paraguay and Peru. The picture in South America seems to be bleaker than in most places.



Side-by-Side Comparison of S. American Infected Hosts


The Takeaway


Two months’ worth of data is hardly enough to paint a really clear picture of what exactly is going on, but we can start to infer some interesting patterns. Perhaps a popular IPS or firewall just added port 16471 to its Zero Access detection logic, leading to the large drop in infected hosts. The increases in Venezuela and Argentina may be related to malicious parties taking advantage of current events in those areas (it would be interesting to see if the infection rate continues to rise in Brazil as the World Cup approaches). This exercise was meant to demonstrate the potential for what an approach like this could do for the process of malware tracking and defense, and for the most part I think it has succeeded. As always, feel free to let me know your thoughts.



0 Kudos
About the Author


Steve Povolny is a Senior Manager for DVLabs Security Research and Development teams at HP TippingPoint.

on ‎03-14-2014 12:03 AM

Thanks for Sharing.. :-)

Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference on August 29 - September 1, 2016 to learn from peers in every industry and hear from Big Data experts and thought lea...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference on September 13 - 16, 2016, and is the place to meet the world’s top information security talent, discuss new pr...
Read more
View all