Due to a recent need for creation of fresh blacklist, we have collected and analyzed 16,000+ unique Storm bot IPs over 2 days. Our results confirm some of the findings of this recent paper regarding size of the Storm botnet. It estimates that the Storm botnet’s size is 5,000 - 6,000 unique IPs (lower bound) and 45,000 - 80,000 upper bound.
The majority of infected machines are located in USA, Russia, Mexico, India, Turkey, Brazil and Poland (in that order). The complete list is here. A partial list of top results is below.
United States 1716
Russian Federation 1177
Mexico 869
India 699
Turkey 609
Brazil 453
Poland 427
Viet Nam 366
Korea, Republic of 362
Morocco 330
France 325
Romania 281
Ukraine 235
We have also analyzed the IP distribution per Autonomous System. Most IPs belong to TTnet Autonomous System, Uninet S.A. de C.V., Vietnam Posts and Telecommunications, SBC Internet Services and BHARTI BT INTERNET LTD. A complete list is here and partial top results are shown below.
TTnet Autonomous System 838
Uninet S.A. de C.V. 792
Vietnam Posts and Telecommunications (VNPT) 605
SBC Internet Services 420
BHARTI BT INTERNET LTD. 362
Itissalat Al-MAGHRIB 330
Comcast Cable Communications, Inc. 269
Polish Telecom’s commercial IP network 260
MTU-Intel Moscow region network 255
National Internet Backbone 235
Romania Data Systems S.A. 222
The IPs were collected by running a Storm bot client in a controlled environment. Also, keep in mind that resolving IPs to their AS numbers and countries using publicly available information in an automated way does not always give an answer (hence the “__UNKNOWN__”’s in the complete lists).
Malware MD5: 8d743df03e17526bddba57a3c7c366ca
Interesting Storm Links:
Sudosecure
Storm Spam wiki
Chasing Storm Into 2008 - Trend Labs
0 Response to “Storm Worm IP List and Country Distribution Statistics”