This project was done for the Shadowserver Foundation. They are a volunteer, Not for Profit organization who deal with the capture, analysis and dissemination of data and intelligence relating to nefarious activity on the internet. Shadowserver provided us with one day worth of data (which was several gigabytes) for us to apply some known techniques, and experiment with some new ones.
This piece of work is more than just a bit of fun. It turns out to be a reasonable method to spot wider trends and anomalies in both victim IP ranges as well as the behaviors of various trojan families.
I used the Logstalgia package to create this, which is designed to analyze web server logs. I rearranged the malware dataset into such a format that the existing logstalgia platform could process. Keep in mind when you are watching this, this only represents a few minutes of malicious activity from only about 5 sample malware samples. Imagine what the wider state of the internet is?