Measurement and Analysis of Autonomous Spreading Malware in a University Environment

Thorsten Holz, Jan Goebel, Carsten Willems

Con­fe­rence on De­tec­tion of In­tru­si­ons and Mal­wa­re & Vul­nerabi­li­ty As­sess­ment (DIMVA), Lucerne, Switzerland, July 2007


Autonomous spreading malware in the form of bots or worms is a constant threat in today's Internet. In the form of botnets, networks of compromised machines that can be remotely controlled by an attacker, malware can cause lots of harm. In this paper, we present a measurement setup to study the spreading and prevalence of malware that propagates autonomously. We present the results when observing about 16,000 IPs within a university environment for a period of eight weeks. We collected information about 13.4 million successful exploits and study the system- and network-level behavior of the collected 2,034 valid, unique malware binaries.


Tags: honeypots, Malware