drone armies C&C report - May/2005
Below is a periodic public report from the drone armies / botnets
research and mitigation mailing list.
For this report it should be noted that we base our analysis on the data
we have accumulated from various sources.
According to our incomplete analysis of information we have thus far, we
now publish our regular two reports.
This month we would especially like to commend Staminus, who contacted
us and have since made incredible efforts to deal with the threat. Also,
we'd like to mention Internap for their continuous efforts.
The ISP's that are most often plagued with botnet C&C's (command &
control) are, by the order listed:
----------------------------------
Top 15 with open non-resolved suspect C&Cs by Name:
ASN Responsible Party Unique C&Cs Open-unresolved
6517 YIPESCOM - Yipes Communication 60 41
21840 SAGONET-TPA - Sago Networks 90 24
25761 STAMINUS-COMM - Staminus Commu 86 20
4766 KIXS-AS-KR Korea Telecom 43 20
13680 AS13680 Hostway Corporation Ta 22 19
21698 NEBRIX-CA - Nebrix Communicati 24 18
13301 UNITEDCOLO-AS Autonomous Syste 27 17
21788 NOC - Network Operations Cente 29 16
29415 EUROWAN-ASN OVANET - EuroWan d 16 15
13749 EVERYONES-INTERNET - Everyones 24 14
30083 SERVER4YOU - Server4You Inc. 21 14
25700 SWIFTDESK - SWIFTDESK VENTURE 13 13
23522 CIT-FOONET - CREATIVE INTERNET 14 12
27595 ATRIVO-AS - Atrivo 31 11
13237 LAMBDANET-AS European Backbone 11 11
The following table is a historical ranking of the top 10
Responsible parties listed by the number of unique C&Cs in
the BBL along with the current number of C&Cs responding as
open at the time of the survey.
ASN Responsible Party Unique C&Cs Open-unresolved
21840 SAGONET-TPA - Sago Networks 90 24
10913 INTERNAP (Block 1,3,4,5) 90 1-5
13790
19024
14742
25761 STAMINUS-COMM - Staminus Commu 86 20
6517 YIPESCOM - Yipes Communication 60 41
4766 KIXS-AS-KR Korea Telecom 43 20
27595 ATRIVO-AS - Atrivo 31 11
21844 THEPLANET-AS - THE PLANET 31 1-5
21788 NOC - Network Operations Cente 29 16
13301 UNITEDCOLO-AS Autonomous Syste 27 17
3356 LEVEL3 Level 3 Communications 25 1-5
* We would gladly like to establish a trusted relationship with
these and any organizations to help them in the future.
* By previous requests here is an explanation of what "ASN" is, by Joe
St Sauver:
http://darkwing.uoregon.edu/~joe/one-pager-asn.pdf
The Trojan horses most used in botnets:
---------------------------------------
1. Korgobot.
2. SpyBot.
3. Optix Pro.
4. rBot.
5. Other SpyBot variants and strains (AgoBot, PhatBot, actual SDbots,
etc.).
This report is unchanged.
Credit for gathering the data and compiling the statistics should go to:
Prof. Randal Vaughn <Randy_Vaughn@xxxxxxxxxx>
--
Gadi Evron,
Israeli Government CERT Manager,
Tehila, Ministry of Finance.
gadi@xxxxxxxxxxx
Office: +972-2-5317890
Fax: +972-2-5317801
The opinions, views, facts or anything else expressed in this email
message are not necessarily those of the Israeli Government.