Visual investigations of botnet command and control behavior

Visual investigations of botnet command and control behavior: Malware authors seem to prefer to use low port numbers, whereas legitimate software often uses higher ports. In general, popular malware command and control ports were clustered below port 10,000, whereas the density of ports below 10,000 used on the legitimate network was relatively low. The difference is particularly clear for ports below 1024, which is known as the “well known port” range in Internet standards. Our malware samples used 866 “well known” TCP ports, but the legitimate traffic only used 166. On the UDP side, 1018 “well know ports” were used by malware, but only 19 were used on the legitimate network. This suggests that use of unusual ports below 1024 is a behavioral anomaly that might be worth investigating – it could indicate a malware infection.