SophosLabs maps malware and spam with Google Earth

Every day SophosLabs receives millions and millions of pieces of data from around the globe about the latest malware and spam campaigns. Our worldwide network of spamtraps and honeypots as well as other sources provide us with second-by-second reports of the latest hacks, scams and worm attacks.

Last year we began to transpose some of this huge amount of data onto Google Earth. SophosLabs director Mark Harris blogged at the time about how the team did this in order to give a unique visual view of a huge internet problem to visiting television companies.

In July 2007, a TV crew visited our offices and filmed some of our technology at work, identifying the location of compromised botnet computers sending malicious spam. We were also able to show what happens when an innocent user clicks on a link in spam, making their computer leapfrog from country to country around the globe, downloading malicious code from hacked webservers.

In the video excerpt below, which can be found on the SophosLabs YouTube channel, you’ll see that the end result of many of these attacks is to steal personal data, in this example your banking details get sent to a hacker based in Brazil:

View the video on YouTube.

How do we map spam and malware with Google Earth?
What we do is take the IP address of the computer sending the spam/web server hosting the malware, use Geo IP technology to determine the latitude and longitude of the computer we are interested in, and then map it onto Google Earth. Geo IP technology isn’t always 100% reliable – but it’s a pretty cool way of making malware and spam visually interesting.

For instance, we can watch as the east coast of America wakes up, turns on its compromised botnet computers, and begins to relay spam into our spamtraps (and many other innocent users’ inboxes around the world).

Location of zombie computers in Europe that sent spam during a 30-minute period
Location of zombie computers in Europe that sent spam during just a 30-minute period. Click to view an expanded graphic.

Those of you who have seen presentations given by SophosLabs staff in the last 12 months may have seen us use Google Earth and our intelligence on spam and malware to demonstrate some of the recent attacks and campaigns by cybercriminals.

If you have more ideas on what else we could do with Google Earth drop us a line at the usual address: sophosblog@sophos.com.

UPDATE: We had a great response from this blog post, with several people asking if we could tell them more about the specific malware campaign that is shown in the video being tracked via Google Earth. Your wish is our command, and we have produced an additional video: View “Sophos, Spam, Trojans and Britney Spears”.