View on GitHub

ICTD-Data-Analysis

Over the summer of 2019, I worked in the ICTD Lab at the University of Washington analyzing data coming back from a remote cellular network in Bokondini, Indonesia that our lab deployed. These are some of the results I found. I used Jupyter Notebook, Pandas, and Altair to create these graphs.

Case Study: markets-unlimited.com (8.8.8.8)

In the data, I found that there were several accesses from a site called markets-unlimited.com, but not much traffic. We found this interesting and decided to look into it more, since there was no website at the address. We were suspicious that this site could be malware.

Timeline of accesses to and from markets-unlimited.com

Most of the time, the accesses are pretty consistent, at less than 1000 accesses per hour. However, there’s a period of time between noon on May 12th and noon on May 14th where the accesses spike, and this is also the same time period where a lot of the traffic in the network from other sites decreases greatly.

Gantt Chart of the timeline of accesses to markets-unlimited.com

The site is accessed regularly, while the network is up, since the chunks of accesses are solid between 4AM and 11PM.

Traffic to each port from markets-unlimited.com

Most of the traffic has a public port 53, which is DNS. Since malware sites sometimes use port 53 to disguise their traffic as DNS, we can be suspicious of this address.

Size of traffic per flow to and from markets-unlimited.com

Most flows transport around 40-55 bytes of data per flow. (This graph was made mainly to check if the site had consistently the same amount of traffic per flow - like periodical accesses.)

Timeline of traffic to and from markets-unlimited.com

Similar to the accesses, most of the time the traffic is pretty consistent, at less than 1000 accesses per hour. However, there’s a period of time between noon on May 12th and noon on May 14th where the traffic spikes, and this is also the same time period where a lot of the traffic in the network from other sites decreases greatly.

Total traffic per user to and from markets-unlimited.com

This graph was originally made to see if the potential malware was affecting only a few of the users, rather than many of them. However, we saw that most, if not all, users had traffic running to and from this site, so this evidence would support an argument against whether or not markets-unlimited.com is malware.

Conclusion

After looking back at my work, I realized my DNS log had somehow recorded 8.8.8.8 as the markets-unlimited.com address. I’m not sure how, but clearly I was wrong about this traffic being malware - it was actually Google’s DNS server, which has the address 8.8.8.8, which explains all the DNS traffic and the same amount of traffic and accesses each hour, except when the network goes down, during which the DNS requests continuously repeat because there is no connection.