Below is a periodic public report from the drone armies / botnets research and mitigation mailing list. For this report it should be noted that we base our analysis on the data we have accumulated from various sources. According to our incomplete analysis of information we have thus far, we now publish our regular two reports. This month we would especially like to commend Staminus, who contacted us and have since made incredible efforts to deal with the threat. Also, we'd like to mention Internap for their continuous efforts. The ISP's that are most often plagued with botnet C&C's (command & control) are, by the order listed: ---------------------------------- Top 15 with open non-resolved suspect C&Cs by Name: ASN Responsible Party Unique C&Cs Open-unresolved 6517 YIPESCOM - Yipes Communication 60 41 21840 SAGONET-TPA - Sago Networks 90 24 25761 STAMINUS-COMM - Staminus Commu 86 20 4766 KIXS-AS-KR Korea Telecom 43 20 13680 AS13680 Hostway Corporation Ta 22 19 21698 NEBRIX-CA - Nebrix Communicati 24 18 13301 UNITEDCOLO-AS Autonomous Syste 27 17 21788 NOC - Network Operations Cente 29 16 29415 EUROWAN-ASN OVANET - EuroWan d 16 15 13749 EVERYONES-INTERNET - Everyones 24 14 30083 SERVER4YOU - Server4You Inc. 21 14 25700 SWIFTDESK - SWIFTDESK VENTURE 13 13 23522 CIT-FOONET - CREATIVE INTERNET 14 12 27595 ATRIVO-AS - Atrivo 31 11 13237 LAMBDANET-AS European Backbone 11 11 The following table is a historical ranking of the top 10 Responsible parties listed by the number of unique C&Cs in the BBL along with the current number of C&Cs responding as open at the time of the survey. ASN Responsible Party Unique C&Cs Open-unresolved 21840 SAGONET-TPA - Sago Networks 90 24 10913 INTERNAP (Block 1,3,4,5) 90 1-5 13790 19024 14742 25761 STAMINUS-COMM - Staminus Commu 86 20 6517 YIPESCOM - Yipes Communication 60 41 4766 KIXS-AS-KR Korea Telecom 43 20 27595 ATRIVO-AS - Atrivo 31 11 21844 THEPLANET-AS - THE PLANET 31 1-5 21788 NOC - Network Operations Cente 29 16 13301 UNITEDCOLO-AS Autonomous Syste 27 17 3356 LEVEL3 Level 3 Communications 25 1-5 * We would gladly like to establish a trusted relationship with these and any organizations to help them in the future. * By previous requests here is an explanation of what "ASN" is, by Joe St Sauver: http://darkwing.uoregon.edu/~joe/one-pager-asn.pdf The Trojan horses most used in botnets: --------------------------------------- 1. Korgobot. 2. SpyBot. 3. Optix Pro. 4. rBot. 5. Other SpyBot variants and strains (AgoBot, PhatBot, actual SDbots, etc.). This report is unchanged. Credit for gathering the data and compiling the statistics should go to: Prof. Randal Vaughn <Randy_Vaughn@baylor.edu> -- Gadi Evron, Israeli Government CERT Manager, Tehila, Ministry of Finance. gadi@CERT.gov.il Office: +972-2-5317890 Fax: +972-2-5317801 The opinions, views, facts or anything else expressed in this email message are not necessarily those of the Israeli Government.