I've changed my script into an open source project! I'd like to formally introduce lightbulb. Lightbulb is a utility to read in proxy log data and use entropy based analysis to determine beacons associated with malware. You can tailor it to do just about anything you'd like and it may provide network admins with a deeper understanding of their network and the activity happening around them.

For the first official release of lightbulb I wanted to make some significant improvements to the code and the reporting. There are more changes to come, but what you'll find new in this version is.

• Reporting back of the actual beacon time intervals
• Outliers listed according to the standard deviation of all data

It's a nice improvement and it's coming a long way. The next version has a scheduled change in the backbone to boost performance. As well as taking a look at different learning algorithms. Stay tuned for more changes. All updates on the project will now be hosted at google code as well as on here. I'll try to keep the changelog up to date. :)

http://code.google.com/p/lightbulb

Just a quick check in.

Since I've last written my entropy beacon script, I've received a flurry of suggestions and ideas on how to better expand and build upon this research. Those have been slowly making their way into my main codebase and some major backend work has begun.

Along with that I've got two new things coming down the pipeline. One has to do with rebuilding binaries off the wire (seems that there's not many good programs for this) and the other has to do with hunting malware via User Agent Strings. Would you believe that on a daily basis I've seen more than 5000 unique uas? It's unbelievable.

Also, I'm starting to port a good chuck of my work to google code so that I don't have to mail out updates to those who've been using my scripts.

Thanks again for all the suggestions, You'll be hearing from me soon.