we planned to write an article about it but since we don’t get the time, and some good stuff are already available, we just publish the stat.
Good article about zeroaccess:
To make the stat we just ask each peer to give us ip list and add it to the database and so on. In one month of mononitoring we get 1 million of ip.
If some ppl are motivated to make more stat I can release the scripts and my database.
Number of peers in db
y0ug@malwarelu:~/scripts$ date && sqlite3 zeroaccess.sqlite "SELECT count(*) FROM peers;"
Tue Feb 19 13:18:27 CET 2013
1081273
Top 20 country infection
y0ug@malwarelu:~/scripts$ sqlite3 zeroaccess.sqlite " SELECT country, count(ip) as cpt FROM peers INNER JOIN geolocations ON peers.id=geolocations.peer_id group by country_code ORDER BY cpt;" | tail -n 20
Australia|10315
Hungary|11023
Sweden|11284
Iran, Islamic Republic of|12507
Russian Federation|12523
France|14028
United Kingdom|15872
Venezuela|16188
Canada|17279
Argentina|17325
Turkey|30210
Romania|31039
Spain|33153
Japan|40820
Germany|41569
Brazil|56705
Taiwan|57805
Italy|103732
United States|132816
India|245987
Top 20 city
y0ug@malwarelu:~/scripts$ sqlite3 zeroaccess.sqlite " SELECT city, count(ip) as cpt FROM peers INNER JOIN geolocations ON peers.id=geolocations.peer_id group by city ORDER BY cpt;" | tail -n 20
Caracas|5148
Santiago|5609
Bangkok|5965
Kaohsiung|5971
Milan|6179
Taichung|6220
Bucharest|6864
Tokyo|8369
Rome|9303
Istanbul|9841
Chennai|10591
Kolkata|10784
Hyderabad|11597
So Paulo|11839
Pune|12060
Delhi|21610
Taipei|26104
Bangalore|26387
Mumbai|63686
Unknown|100637
Before install plugin the malware check the signature with this public key
Pem format
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXrUXWGv6r/yGEWmtu/TCvWsn3
SXC0xcFLULey0xNIKIzxnNzn2Jb/pHRr6CfyQl6Hg6Zt2+efsyTkBRuORs5X1PPg
bISZl8TVUgxH4TzH1x16FLrYWucK08pUgc+e6G91ksjOfC6iKs8g8V54VA8bq71q
zk+QyacS3fEZOSbyYwIDAQAB
-----END PUBLIC KEY-----
The number to factorize
151453432407647819546100166014997951339320507307775254255564495382719040186797150720297483224621783999714587428216607423638262973816754776881098546670647487634628357600030115489745806469124906416028850570212254186170613390107370526681765360119559566943010421386885215034263978631334356541676857160132695880291
The factore is not know here
If someone manage to factorize the key he can win a beautifull botnet ^^