Below is a periodic public report from the drone armies / botnets research and mitigation mailing list. For this report it should be noted that we base our analysis on the data we have accumulated from various sources. According to our incomplete analysis of information we have thus far, we now publish two reports. The ISP's that are most often plagued with botnet C&C's (command & control) are, by the order listed: ---------------------------------- Responsible Party Count ASN SAGONE Sago Networks 16-20 21840 THEPL-1 THE PLANET* 16-20 {21844,13884} PNAP Internap Network Services 11-15 {10913,13790,14742,14744} STAMIN-2 Staminus Communicatio 11-15 25761 ATRIV Atrivo 11-15 27595 MSG-48 Managed Solutions Group 8-10 27645 YIPS Yipes Communications Inc 8-10 6517 LEVEL3 Level 3 Communications 8-10 3356 * Note that the above details are only for botnet C&C's that are still active. * We would gladly like to establish a trusted relationship with these and any organizations to help them in the future. * Please note the serious decrease in live Korean botnets, largely due to the efforts of KrCERT. The Trojan horses most used in botnets: --------------------------------------- The below details have not changed much, although we are seeing an increase in rBot variants. 1. Korgobot. 2. SpyBot. 3. Optix Pro. 4. rBot. 5. Other SpyBot variants and strains (AgoBot, PhatBot, actual SDbots, etc.). Contact information: Hank Nussbacher <hank@mail.iucc.ac.il> Gadi Evron (as specified below) -- Gadi Evron, Information Security Manager, Project Tehila - Israeli Government Internet Security. Ministry of Finance, Israel. gadi@tehila.gov.il gadi@CERT.gov.il Office: +972-2-5317890 Fax: +972-2-5317801 http://www.tehila.gov.il The opinions, views, facts or anything else expressed in this email message are not necessarily those of the Israeli Government.