Visualizing and Modeling the Scanning Behavior of the Conficker Botnet in the Presence of User and Network Activity

Translating behavioral information learned from analysis of a botnet’s software in controlled environments, to a model of how the botnet behaves in the wild is complicated by the fact that controlled environments do not account for a wide variety of user behavior, and that machines are not associated one-to-one with IP addresses.

This paper presents a case study using published reports and pertinent visualizations to develop and evaluate a single-machine model of scanning behavior of the Conficker-C botnet, with a goal of understanding the global population of infected machines in light of user activity and IP address allocation.