The Malware Cluster Lab
A Forensic Behavioral Analysis of Live Internet Malware Infections
Visit mtc.sri.com

last updated: 15 Jul 2008
Contact Us/Feedback
Welcome to the SRI Malware Cluster Laboratory:

The SRI Malware Clustering Lab is exploring the use of behavioral attribute clustering as a method to automatically categorize common malware patterns under one forensic model description, and to help us rapidly identify new malware behavioral patterns. We explore malware clustering based on a multi-perspective collection of infection attributes (network communications, sensor alarms, binary attributes, host forensic changes) captured from our live Internet honeynet.   
_____________________________________________________________________________
NoticeThe data on this website is for research purposes only.  It is provided for your personal use only and is supplied AS IS, without warranty of any kind.  Use or reliance on this data is at your own risk.
_____________________________________________________________________________
May through June 2008: 
6941 Malware Infections Analyzed
32 Behavioral Profiles

 [VIEW FULL SET]

Behavioral Clusters (with more than 30 members)
Cluster A
A: 857 samples
Win2K-f (81%)
AV:  Unknown
CN:hail.dns2go.com
CN:scorti1.dns2go.com
 Cluster B
B: 812 samples
Win XP/2K (61%/39%)
AV:  Unknown
CN:hail.dns2go.com
CN:scorti1.dns2go.com
 		Cluster C
C: 656 samples
WinXP (100%)
AV: Korgo
UA:monkey.hosting.ua

 Cluster D
D: 519 samples
Win 2K/XP (70%/30%)
AV: Wootbot
US: comast.com
Cluster E
E: 387 samples
Win XP/2K (54%/46%)
AV: Wootbot
US: comast.com
 Cluster F
F: 331 samples
WinXP (98%)
AV: Virut
DE:proxim.ircgalaxy.pl
Cluster G
G: 316 samples
WinXP (100%)
AV: Sasser
DE:proxim.ircgalaxy.pl
 Cluster H
H: 333 samples
Win 2K/XP (54%/46%)
AV: SDBot
DE:proxim.ircgalaxy.pl
Cluster I
I: 310 samples
Win 2K/XP (60%/40%)
AV: Unknown


 		Cluster J
J: 314 samples
Win 2K/XP (59%/41%)
AV: Unknown
CN:scorti1.dns2go.com (65%)
US:scorti1.dns2go.com (28%)
 Cluster K
K: 311 samples
Win 2K/XP (64%/36%)
AV:  Unknown
CN:hail.dns2go.com (75%)
CN:scorti1.dns2go.com (63%)
 Cluster L
L: 291 samples
Win2K/XP(57%/43%)
AV: Unknown
Cluster M
M: 220 samples
Win2K/XP (65%/35%)
AV: Virut/Nachi
CA:synflood.ws (50%)
CA:webdesignpro.org (33%)
 Cluster N
N: 172 samples
Win 2K/XP (57%/43%)
AV: Unknown
CN:scorti1.dns2go.com (76%)

 Cluster O
O: 159 samples
WinXP (100%)
AV: Padobot
DE: fastit.net

 Cluster P
P: 117 samples
Win 2K/XP (53%/47%)
AV: Unknown
US: f.unicat.org (100%)   
Cluster Q
Q: 112 samples
WinXP (98%)
AV: Unknown
 Cluster R
R: 89 samples
Win 2K/XP (71%/29%)
AV: Unknown
CN:hail2.dns2go.com
 Cluster S
S: 84 samples
WinXP (100%)
AV: Unknown
 Cluster T
T: 78 samples
Win 2K/XP (59%/41%)
AV: SDBot
US:freee.najd.us (76%)
Cluster U
U: 41 samples
WinXP (100%)
AV: XXXX
 Cluster V
V: 38 samples
Win2K-f (100%)
AV: Unknown
US:qtas.net (32%)
SE:dzuc.net (26%)
SE:tap.radioprishtina.net (26%)
US:wow.blackirc.us (26%)
 Cluster W
W: 33 samples
Win2K-f (88%)
AV: Virut
US:hail.dns2go.com (52%)
CN:scorti1.dns2go.com (48%)
CN:hail.dns2go.com (43%)
US:scorti1.dns2go.com (39%)
DE:proxim.ircgalaxy.pl (35%)



Behavioral Clustering
Similarity Matrix
The two figures plot the pair-wise similarity between the synopsis. You may view the image as a matrix. Pixel (i, j) represents the similarity measure between the i-th and the j-th synopsis. A red pixel means the similarity is close to 1. (i.e. the synopsis are close to identical.)  A blue pixel means small similarity.

___________________________________________________________________________________________________
Development TeamArvind Naryanan (UTexas Austin), Phillip Porras (SRI),  Vinod Yegneswaran (SRI),   Jian Zhang (SRI)
_________________________________________________________________________________________________
Acknowledgements:   Special thanks to Cliff Wang at Army Research Office (ARO) and Karl Levitt at the National Science Foundation for their sponsorship of this research.