Taking a peak at our view of Malware Activity in the past week, there is quite a rampant and obvious increase evident in the graph below.

In today’s times, to classify malware is not an exact science in that most modern malware is quite flexible and can change characteristics instantly following a C&C-directed drop of a new binary. Regardless, as best that can be classified by malware binary type the predominant type of malware emanating from Libya are Worm and Virus variants.

Over the past 31 days we have seen 4.4 billion events deriving from malware which breaks down to 142.5 million events per day. The graph above details event counts over the past 31 days, snapshotted hourly.

Post the dramatic shift in overall malware activity there are still a handful of hosts beaconing out as part of the following AS listed below.

You can follow updates of Syrian malware activity per hourly updates in our Middle East/North Africa blog.

Project Cyber Dawn Libya collates, analyzes, and reports on raw data and its Interconnections that have been harvested from the public domain. Recent events are correlated with known historical data to provide an in-depth view into Libyan Cyber Warfare capabilities and defenses. Through this analysis, CSFI can help the international community to understand not only Libya’s potential to influence the balance in cyberspace, but also the physical repercussions of cyber-attacks originating from, and directed towards Libya.

A public release copy of the report is downloadable by clicking the thumbnail to the left.

Malware has taken on many faces in recent years – from compromising hosts to predominantly send spam it has also evolved into identity theft, fraud, extortion and is now the cornerstone of the front lines of a widely-debated cyber war.

The following graphic was generated earlier this afternoon (EDT) referencing the last 500,000 public hosts (roughly a single hour’s worth) emitting activity indicative of a compromised host per malware. As expected North America and Europe are the most active during this time frame.

Click for larger version

Base image credit to Nasa’s Blue Marble series.

The uprising began on or around Feb. 15 and in earnest on Feb. 17., picking up momentum in eastern Libya. Much like the uprising in Egypt, where the then standing Egyptian government attempted to use a complete shutdown on the Egyptian internet as a ploy to slow the growing revolution, the Libyan government appeared to be using the same playbook and reportedly began to shutdown portions of the Libyan internet.

Below is graph beginning on Feb. 17, 2011 of hourly counts of both unique public hosts and total events deriving from sinkholed malware. While during the first couple weeks of the uprising the malware activity was average with the advent of a few periods of total silence lasting only a few hours at a time. Starting on Mar. 3 the overall malware activity become very erratic and predominantly from hosts that appear to be centered in or around Tripoli.

We have also been generating IPv4 Prefix origins of the malware coming out of Libya. Below is a table summarizing all Prefix activity since Feb. 17.

Finally, we created a desktop capture of all the Prefix activity of malware starting on Feb. 17 through Mar. 20. Periodically within the video we expand each city’s consolidated labels to reveal all the Prefix details. When the timeline is started shortly after the beginning of the movie you can see the Prefix activity roll in and out with each passing day (more easily seen if choosing to view higher resolution versions of the video in full screen).

Graphs no longer available.

Some articles and papers about malware growth and trends:
“Report: Malware Growth At An All-Time High”
http://netcentricsecurity.com/articles/2011/02/08/report-malware-growth.aspx

“Growing sophistication of botnets, pervasive devices and social networking, and threats to physical systems will demand increased vigilance in 2011.”
http://www.gtisc.gatech.edu/pdf/cyberThreatReport2011.pdf

“Hacktivism, cyber war and social engineering tactics expected to be among the most widely-used methods for spreading encrypted and dynamic malware.”
http://press.pandasecurity.com/usa/news/pandalabs-predicts-security-trends-for-2011/

“2010 saw not only continued sophistication on the part of cybercriminals but also a tightening of the organizational structures in which they operate. Turf wars between cybercriminal organizations will continue to develop in what has literally turned into a fully operational underground economy.”
http://www.websense.com/content/threat-report-2010-highlights.aspx

Doom and gloom aside, all hope is not lost. We do not believe that things are so dark now that it requires a complete restart of modern preventive practices and policies, but a re-thinking and re-education of how you detect and measure security effectiveness within the Enterprise. Tens of thousands of very bright and talented people have created all of the technology deployed and used in today’s Enterprise networks. But, what is all of this technology in a nutshell? It’s automation.

Effective automation requires relevant and correlated intelligence translated into optimized configuration parameters for all deployed components of a given Enterprise network security infrastructure. We can help enlighten security teams with issue detection and trends that ultimately provides a more optimized approach to incident response while simultaneously greatly improving and automating security infrastructure issue focus and configuration in near-realtime.

As an example of how we use derivative trending data from security event data, we have recently posted metrics for the industry index, encompassing the Fortune 2000+. You can access the trending information in our Trending Section.

From our perspective of tracking malicious malware, we detected a total stoppage in activity starting several hours ago.

Update, Feb. 19 (06:30 ET): Malware is flowing out of Libya as of a few hours ago.

Update, Feb. 19 (18:30 ET): Malware coming out of Libya has become very erratic so I thought it best to just create a graph that will update itself approximately every hour showing the last 36 hours per update cycle.

Update, March 3 (17:00 ET): Malware vanishes again, indicative of a complete or partial ‘net shutdown. Reports out of Tripoli that ‘net and land lines down. As always, our near-realtime graph is always updating, tracking any dramatic changes in actiivty.

 
Update, March 4 (23:00 ET): Since the latest apparent Libyan internet shutdown from two days ago, there has been a small amount of malware activity. The prefixes are listed below.

 
Update, March 5 (13:00 ET): Compared to the limited ‘net activity coming out of Libya, the largest spike of malware activity occurred within the last hour.

 
Update, March 6 (06:00 ET): Sporadic network activity over the last 12 hours continues to make it’s way out of Libya by way of interactive malware.

 
Update, March 7 (12:30 ET): Quick update of malware activity by AS over the past 24 hours.

 
Update, March 18 (14:00 EDT): Follow-up update as the activity from Libya is still abnormal (activity over the past 24 hours).

 
Update, March 20 (00:00 EDT): Malware activity from Libya over the past 24 hours is predominantly concentrated within the 41.208.64.0/18 IPv4 Prefix.

 
Update, March 21 (10:00 EDT): The 41.208.64.0/18 IPv4 Prefix continues emanate the majority of the malware activity.

Below is a quick summary of the AS activity, per malware, seen as active in the past couple of days in Algeria.