Revealing Potential Threats of Multiple Malware Infections through Large-Scale ISP Flow Data Analysis

抄録

As a countermeasure against the damage inflicted by bot-nets, one widely adopted approach is the takedown of Command and Control (C2) servers, which attackers utilize to issue commands to compromised bots. Although new malicious activities typically cease after such takedowns, pre-existing operations and default behaviors of infected hosts may continue. Moreover, these hosts often lack adequate security measures, leaving them susceptible to subsequent infections by other types of malware. Alternatively, Sinkhole observation—an approach that monitors communications from malware-infected hosts via the domains of seized C2 servers—offers valuable insight. In this study, we analyze the communication behaviors of infected hosts by correlating Sinkhole observation data with network flow data collected from ISP-operated environments, enabling the examination not only of traffic destined for Sinkhole servers but also of communications to other external destinations. Furthermore, by cross-referencing these communication destinations with known malicious server lists, we assess the current landscape of malware infections. Our analysis demonstrates that approximately 30% of infected IP addresses identified in Sinkhole data exhibit communication patterns indicative of multiple simultaneous malware infections.