Barracuda analytics expose the anatomy of a malware attack

The accumulation of large quantities of security-related data facilitated the creation of a user-friendly front end that is providing unprecedented visibility into the behaviour of malware in Australia and around the world, a Barracuda Networks security researcher has explained.

Barracuda this week launched its Threatglass website, which allows users to trawl through a wealth of detailed data showing the behaviour of malware as it infects more than 10,000 different sites.

The data is a play-by-play of malware infection, highlighting not only the way the Web sites looked but the way they behaved when taken over by various malware. Users can access information about the date the sites were compromised and data such as the external URLs they requested, anomalous IP requests by port and destination IP address, and a downloadable packet capture to show the raw data collected by the company's Barracuda Labs security-analysis arm.

The site, for example, was compromised on 10 January 2013, contacted 10 different URLs and requested 31 different objects from a range of IP addresses over port 16464.

By highlighting the real-world experience of sites that have been infected with malware, Barracuda hopes to add a new dimension to the understanding of the real impact and behaviour of malware, principal research scientist Daniel Peck told CSO Australia.

"Threatglass is basically a front end on data and systems we've been running for a couple of years," Peck explained. "Our back-end [threat-intelligence] system stabilised around the middle of 2011. We had enough data, and wanted to share it, so we decided that not only could we use it but we could learn something from it."

Barracuda's back-end systems include a dozen servers, supporting hundreds of virtual machines running Windows XP, vulnerable Java Virtual Machines (JVMs), vulnerable Adobe software, and other images designed intentionally to be as vulnerable to attack as possible.

The systems continually visit the top 100,000 Web sites as listed at, providing a broad attack surface to which malware reliably sticks. The virtual images then carefully monitor all communications from the infected hosts, logging requests to outside command-and-control servers and changes to the systems' files and configuration.

"We record that for as long as we can," Peck said. "There have been cases where there was some doubt as to whether the infection had actually happened, but packet capture removes all doubt – showing exactly what happened on the network as the site was sending out some sort of drive-by exploit."

The Threatglass site already has data on more than 10,000 infected sites, with discussion forums intended to get security experts sharing their thoughts on recent exploits. Around a dozen new sites are added to the database every day, in Australia and around the world – turning Threatglass into a living exhibit of malware's ravages.

"This kind of data is usually not that easy to come by," Peck said. "You have to be on some pretty heavily vetted private mailing lists. But we felt that this data needed to be out there."

"We're getting new things reported daily, and have had a lot of user submissions. We'd really love for the community to get involved; we're providing an open forum to help out anybody."

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags malware

More about Adobe SystemsBarracuda NetworksCSOEnex TestLab

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

More videos

Blog Posts