Barracuda analytics expose the anatomy of a malware attack

The accumulation of large quantities of security-related data facilitated the creation of a user-friendly front end that is providing unprecedented visibility into the behaviour of malware in Australia and around the world, a Barracuda Networks security researcher has explained.

Barracuda this week launched its Threatglass website, which allows users to trawl through a wealth of detailed data showing the behaviour of malware as it infects more than 10,000 different sites.

The data is a play-by-play of malware infection, highlighting not only the way the Web sites looked but the way they behaved when taken over by various malware. Users can access information about the date the sites were compromised and data such as the external URLs they requested, anomalous IP requests by port and destination IP address, and a downloadable packet capture to show the raw data collected by the company's Barracuda Labs security-analysis arm.

The site, for example, was compromised on 10 January 2013, contacted 10 different URLs and requested 31 different objects from a range of IP addresses over port 16464.

By highlighting the real-world experience of sites that have been infected with malware, Barracuda hopes to add a new dimension to the understanding of the real impact and behaviour of malware, principal research scientist Daniel Peck told CSO Australia.

"Threatglass is basically a front end on data and systems we've been running for a couple of years," Peck explained. "Our back-end [threat-intelligence] system stabilised around the middle of 2011. We had enough data, and wanted to share it, so we decided that not only could we use it but we could learn something from it."

Barracuda's back-end systems include a dozen servers, supporting hundreds of virtual machines running Windows XP, vulnerable Java Virtual Machines (JVMs), vulnerable Adobe software, and other images designed intentionally to be as vulnerable to attack as possible.

The systems continually visit the top 100,000 Web sites as listed at, providing a broad attack surface to which malware reliably sticks. The virtual images then carefully monitor all communications from the infected hosts, logging requests to outside command-and-control servers and changes to the systems' files and configuration.

"We record that for as long as we can," Peck said. "There have been cases where there was some doubt as to whether the infection had actually happened, but packet capture removes all doubt – showing exactly what happened on the network as the site was sending out some sort of drive-by exploit."

The Threatglass site already has data on more than 10,000 infected sites, with discussion forums intended to get security experts sharing their thoughts on recent exploits. Around a dozen new sites are added to the database every day, in Australia and around the world – turning Threatglass into a living exhibit of malware's ravages.

"This kind of data is usually not that easy to come by," Peck said. "You have to be on some pretty heavily vetted private mailing lists. But we felt that this data needed to be out there."

"We're getting new things reported daily, and have had a lot of user submissions. We'd really love for the community to get involved; we're providing an open forum to help out anybody."

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags malware

More about Adobe SystemsBarracuda NetworksCSOEnex TestLab

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts