drone armies C&C report - May/2005

[Gadi Evron <gadi@xxxxxxxxxxxxx>]

Below is a periodic public report from the drone armies / botnets
research and mitigation mailing list.
For this report it should be noted that we base our analysis on the data
we have accumulated from various sources.

According to our incomplete analysis of information we have thus far, we
now publish our regular two reports.


This month we would especially like to commend Staminus, who contacted 
us and have since made incredible efforts to deal with the threat. Also, 
we'd like to mention Internap for their continuous efforts.


The ISP's that are most often plagued with botnet C&C's (command &
control) are, by the order listed:
----------------------------------

Top 15 with open non-resolved suspect C&Cs by Name:
ASN     Responsible Party               Unique C&Cs     Open-unresolved
6517    YIPESCOM - Yipes Communication  60              41
21840   SAGONET-TPA - Sago Networks     90              24
25761   STAMINUS-COMM - Staminus Commu  86              20
4766    KIXS-AS-KR Korea Telecom        43              20
13680   AS13680 Hostway Corporation Ta  22              19
21698   NEBRIX-CA - Nebrix Communicati  24              18
13301   UNITEDCOLO-AS Autonomous Syste  27              17
21788   NOC - Network Operations Cente  29              16
29415   EUROWAN-ASN OVANET - EuroWan d  16              15
13749   EVERYONES-INTERNET - Everyones  24              14
30083   SERVER4YOU - Server4You Inc.    21              14
25700   SWIFTDESK - SWIFTDESK VENTURE   13              13
23522   CIT-FOONET - CREATIVE INTERNET  14              12
27595   ATRIVO-AS - Atrivo              31              11
13237   LAMBDANET-AS European Backbone  11              11

The following table is a historical ranking of the top 10
Responsible parties listed by the number of unique C&Cs in
the BBL along with the current number of C&Cs responding as
open at the time of the survey.

ASN     Responsible Party               Unique C&Cs     Open-unresolved
21840   SAGONET-TPA - Sago Networks     90              24
10913   INTERNAP (Block 1,3,4,5)        90              1-5
13790
19024
14742

25761   STAMINUS-COMM - Staminus Commu  86              20
6517    YIPESCOM - Yipes Communication  60              41
4766    KIXS-AS-KR Korea Telecom        43              20
27595   ATRIVO-AS - Atrivo              31              11
21844   THEPLANET-AS - THE PLANET       31              1-5
21788   NOC - Network Operations Cente  29              16
13301   UNITEDCOLO-AS Autonomous Syste  27              17
3356    LEVEL3 Level 3 Communications   25              1-5

* We would gladly like to establish a trusted relationship with
  these and any organizations to help them in the future.

* By previous requests here is an explanation of what "ASN" is, by Joe
  St Sauver:
  http://darkwing.uoregon.edu/~joe/one-pager-asn.pdf


The Trojan horses most used in botnets:
---------------------------------------

1. Korgobot.
2. SpyBot.
3. Optix Pro.
4. rBot.
5. Other SpyBot variants and strains (AgoBot, PhatBot, actual SDbots,
   etc.).

This report is unchanged.


Credit for gathering the data and compiling the statistics should go to:
Prof. Randal Vaughn <Randy_Vaughn@xxxxxxxxxx>

--
Gadi Evron,
Israeli Government CERT Manager,
Tehila, Ministry of Finance.

gadi@xxxxxxxxxxx
Office: +972-2-5317890
Fax: +972-2-5317801

The opinions, views, facts or anything else expressed in this email
message are not necessarily those of the Israeli Government.