As regular readers will know, Google Earth is a great tool for visualizing some of the things we do in the labs and the way the threat is changing. Plotting compromised machines sending out spam; flying round the world following a specific spam – web – malware attack; plotting compromised Linux machines etc. makes presentations more interesting and are a great tool for illustrating a point.
The problem for me is that having shown the same data what seems to be hundreds of times, I’m always looking for new material. I’ve added a new tool to my bag of demonstrations today with a new Google Earth demo (courtesy of Craig in the systems development team, its a long time since I did any coding). This time, we’ve plotted where spam websites are hosted. Basically, we take the links in the spam messages seen in the past few hours, extract the website address, look up where it is hosted and plot it.
The result is large clusters of domains around the globe. Spammers register new domains constantly to avoid being blocked. They have to find registrars (the organisations that hand out domain names) that will effectively turn a blind eye to what they are doing. One of the favourites until recently was Est Domains until it was taken down, but that doesn’t seem to have stopped the spammers as the following screen shot illustrates.
This shows a large number of “˜meds’ related domains all register to a location in Romania.