<<< Date Index >>>     <<< Thread Index >>>

drone armies C&C report - March/2005



Below is a periodic public report from the drone armies / botnets
research and mitigation mailing list.
For this report it should be noted that we base our analysis on the data
we have accumulated from various sources.

According to our incomplete analysis of information we have thus far, we
now publish two reports.


The ISP's that are most often plagued with botnet C&C's (command &
control) are, by the order listed:
----------------------------------

Top 13 with open non-resolved suspect C&Cs
ASN     Responsible Party       Unique IPs      Open-unresolved
21840   SAGONET-TPA - Sago Networks     31-40      11-15
25761   STAMINUS-COMM - Staminus Commu  16-20      11-15
27595   ATRIVO-AS - Atrivo      6-10       6-10
27654   ASN-NA-MSG-01 - Managed Soluti  6-10       3-5
17676   JPNIC-JP-ASN-BLOCK Japan Netwo  6-10       3-5
16625   LEASEWEB LEASEWEB AS    3-5       3-5
4713    OCN NTT Communications Corpora  6-10       3-5
8551    BEZEQ-INTERNATIONAL-AS Bezeqin  3-5       3-5
13749   EVERYONES-INTERNET - Everyones  3-5       3-5
4766    KIXS-AS-KR Korea Telecom        6-10       3-5
21788   NOC - Network Operations Cente  6-10       3-5
13301   UNITEDCOLO-AS Autonomous Syste  3-5       3-5
6517    YIPESCOM - Yipes Communication  6-10       3-5

Top 10 frequently listed without regard to state
ASN     Responsible Party       Unique IPs
21840   SAGONET-TPA - Sago Networks     31-40
25761   STAMINUS-COMM - Staminus Commu  16-20
{10913,13790,19024,14744}       INTERNAP Internap       11-15
{13884,21844}   THEPLANET-AS - THE PLANET       11-15
27654   ASN-NA-MSG-01 - Managed Soluti  6-10
4766    KIXS-AS-KR Korea Telecom        6-10
4713    OCN NTT Communications Corpora  6-10
17676   JPNIC-JP-ASN-BLOCK Japan Netwo  6-10
3356    LEVEL3 Level 3 Communications   6-10

Unresolved open IPs for top 10.
ASN     Responsible Party       Open-unresolved.
21840   SAGONET-TPA - Sago Networks     11-15
25761   STAMINUS-COMM - Staminus Commu  6-10
{10913,13790,19024,14744}       INTERNAP Internap       1-3
{13884,21844}   THEPLANET-AS - THE PLANET       1-3
27654   ASN-NA-MSG-01 - Managed Soluti  3-5
4766    KIXS-AS-KR Korea Telecom        3-5
4713    OCN NTT Communications Corpora  3-5
17676   JPNIC-JP-ASN-BLOCK Japan Netwo  3-5
3356    LEVEL3 Level 3 Communications   1-3

* We would gladly like to establish a trusted relationship with
  these and any organizations to help them in the future.

* We would especially like to note the serious and prompt response by
  PNAP, as well as the serious efforts made by The Planet.

* By previous requests here is an explanation of what "ASN" is, by Joe
  St Sauver:
  http://darkwing.uoregon.edu/~joe/one-pager-asn.pdf

* Clarification: the definition of "count" is how many C&C servers are
  located at said AS. We replaced it to be called "Unique IPs" and
  "Open-unresolved" accordingly.


The Trojan horses most used in botnets:
---------------------------------------

1. Korgobot.
2. SpyBot.
3. Optix Pro.
4. rBot.
5. Other SpyBot variants and strains (AgoBot, PhatBot, actual SDbots,
   etc.).

* There seems to be an increase in Energymechs used for botnets running
  on *nix machines.


--
Gadi Evron,
Information Security Manager, Project Tehila -
Israeli Government Internet Security.
Ministry of Finance, Israel.

gadi@xxxxxxxxxxxxx
gadi@xxxxxxxxxxx
Office: +972-2-5317890
Fax: +972-2-5317801
http://www.tehila.gov.il

The opinions, views, facts or anything else expressed in this email
message are not necessarily those of the Israeli Government.