The data available from Lancope’s malware research suggests that 85% to 95% of malware samples use TCP port 80 to communicate with their command and control servers. The alternate ports chosen by the remaining samples are worth investigating to determine if there are patterns of port selection behavior that can be useful for detection. In order to learn more about that subject we took a look at the command and control behaviors of a collection of nearly two million unique botnet malware samples that were active between 2010 and 2012. These samples reached out to nearly 150,000 different command and control servers on over 100,000 different TCP and UDP ports. This data set is complex and heterogeneous, and thus it is difficult to analyze. However, when the data is represented visually, patterns emerge that lead to interesting insights.
