drone armies C&C report - March/2005
Below is a periodic public report from the drone armies / botnets
research and mitigation mailing list.
For this report it should be noted that we base our analysis on the data
we have accumulated from various sources.
According to our incomplete analysis of information we have thus far, we
now publish two reports.
The ISP's that are most often plagued with botnet C&C's (command &
control) are, by the order listed:
----------------------------------
Top 13 with open non-resolved suspect C&Cs
ASN Responsible Party Unique IPs Open-unresolved
21840 SAGONET-TPA - Sago Networks 31-40 11-15
25761 STAMINUS-COMM - Staminus Commu 16-20 11-15
27595 ATRIVO-AS - Atrivo 6-10 6-10
27654 ASN-NA-MSG-01 - Managed Soluti 6-10 3-5
17676 JPNIC-JP-ASN-BLOCK Japan Netwo 6-10 3-5
16625 LEASEWEB LEASEWEB AS 3-5 3-5
4713 OCN NTT Communications Corpora 6-10 3-5
8551 BEZEQ-INTERNATIONAL-AS Bezeqin 3-5 3-5
13749 EVERYONES-INTERNET - Everyones 3-5 3-5
4766 KIXS-AS-KR Korea Telecom 6-10 3-5
21788 NOC - Network Operations Cente 6-10 3-5
13301 UNITEDCOLO-AS Autonomous Syste 3-5 3-5
6517 YIPESCOM - Yipes Communication 6-10 3-5
Top 10 frequently listed without regard to state
ASN Responsible Party Unique IPs
21840 SAGONET-TPA - Sago Networks 31-40
25761 STAMINUS-COMM - Staminus Commu 16-20
{10913,13790,19024,14744} INTERNAP Internap 11-15
{13884,21844} THEPLANET-AS - THE PLANET 11-15
27654 ASN-NA-MSG-01 - Managed Soluti 6-10
4766 KIXS-AS-KR Korea Telecom 6-10
4713 OCN NTT Communications Corpora 6-10
17676 JPNIC-JP-ASN-BLOCK Japan Netwo 6-10
3356 LEVEL3 Level 3 Communications 6-10
Unresolved open IPs for top 10.
ASN Responsible Party Open-unresolved.
21840 SAGONET-TPA - Sago Networks 11-15
25761 STAMINUS-COMM - Staminus Commu 6-10
{10913,13790,19024,14744} INTERNAP Internap 1-3
{13884,21844} THEPLANET-AS - THE PLANET 1-3
27654 ASN-NA-MSG-01 - Managed Soluti 3-5
4766 KIXS-AS-KR Korea Telecom 3-5
4713 OCN NTT Communications Corpora 3-5
17676 JPNIC-JP-ASN-BLOCK Japan Netwo 3-5
3356 LEVEL3 Level 3 Communications 1-3
* We would gladly like to establish a trusted relationship with
these and any organizations to help them in the future.
* We would especially like to note the serious and prompt response by
PNAP, as well as the serious efforts made by The Planet.
* By previous requests here is an explanation of what "ASN" is, by Joe
St Sauver:
http://darkwing.uoregon.edu/~joe/one-pager-asn.pdf
* Clarification: the definition of "count" is how many C&C servers are
located at said AS. We replaced it to be called "Unique IPs" and
"Open-unresolved" accordingly.
The Trojan horses most used in botnets:
---------------------------------------
1. Korgobot.
2. SpyBot.
3. Optix Pro.
4. rBot.
5. Other SpyBot variants and strains (AgoBot, PhatBot, actual SDbots,
etc.).
* There seems to be an increase in Energymechs used for botnets running
on *nix machines.
--
Gadi Evron,
Information Security Manager, Project Tehila -
Israeli Government Internet Security.
Ministry of Finance, Israel.
gadi@xxxxxxxxxxxxx
gadi@xxxxxxxxxxx
Office: +972-2-5317890
Fax: +972-2-5317801
http://www.tehila.gov.il
The opinions, views, facts or anything else expressed in this email
message are not necessarily those of the Israeli Government.