Below is a periodic public report from the drone armies / botnets research and mitigation mailing list. For this report it should be noted that we base our analysis on the data we have accumulated from various sources. According to our incomplete analysis of information we have thus far, we now publish our regular two reports. We have updated our algorithms and combined our main reports into one table. This survey reflects an overall change in Responsible Party rankings. We have established trusted relationships with Atrivo and The Planet. In the case of The Planet these relationships have helped to achieve a significant reduction in C&Cs with only 1 C&C reporting as active in The Planet's space for this survey. Atrivo also responds to reported C&Cs. PNAP and KrCert made an incredible progress. Sagonet has also requested C&C information but is ranked in the top 4 Responsible parties for this survey. The ISP's that are most often plagued with botnet C&C's (command & control) are, by the order listed: ---------------------------------- ASN Responsible Party Unique open-unresolved {10913, INTERNAP (Block4,2BLK,BLK) 60-79 1-5 12179 13790, 19024, 14744} 21840 SAGONET-TPA - Sago Networks 40-59 10-15 25761 STAMINUS-COMM - Staminus Commu 40-59 20-29 {13884, THEPLANET-AS - THE PLANET 20-29 1-5 21844} 21788 NOC - Network Operations Cente 16-20 10-15 6517 YIPESCOM - Yipes Communication 16-20 11 3356 LEVEL3 Level 3 Communications 10-15 1-5 32065 VORTECH-INC - Vortech Inc. 10-15 14 27595 ATRIVO-AS - Atrivo 10-15 1-5 4766 KIXS-AS-KR Korea Telecom 10-15 1-5 7132 SBIS-AS - SBC Internet Service 10-15 1-5 15535 VIRTUALXS-AS VirtualXS Interne 10-15 1-5 * We would gladly like to establish a trusted relationship with these and any organizations to help them in the future. * By previous requests here is an explanation of what "ASN" is, by Joe St Sauver: http://darkwing.uoregon.edu/~joe/one-pager-asn.pdf The Trojan horses most used in botnets: --------------------------------------- 1. Korgobot. 2. SpyBot. 3. Optix Pro. 4. rBot. 5. Other SpyBot variants and strains (AgoBot, PhatBot, actual SDbots, etc.). This report is unchanged. Credit for gathering the data and compiling the statistics should go to: Prof. Randal Vaughn <Randy_Vaughn@baylor.edu> -- Gadi Evron, Information Security Manager, Project Tehila - Israeli Government Internet Security. Ministry of Finance, Israel. gadi@tehila.gov.il gadi@CERT.gov.il Office: +972-2-5317890 Fax: +972-2-5317801 http://www.tehila.gov.il The opinions, views, facts or anything else expressed in this email message are not necessarily those of the Israeli Government.