RE: drone armies C&C report - July/2005
The question of self promotion came back split down the middle. It was noted that IL CERT does a fantastic job seeing that there are no IL networks listed. Or none that are easily identifiable. YMMV. -M< -- Martin Hannigan (c) 617-388-2663 VeriSign, Inc. (w) 703-948-7018 Network Engineer IV Operations & Infrastructure hannigan@verisign.com
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Gadi Evron Sent: Monday, August 15, 2005 8:22 AM To: nanog@merit.edu Subject: drone armies C&C report - July/2005
Below is a periodic public report from the drone armies / botnets research and mitigation mailing list. For this report it should be noted that we base our analysis on the data we have accumulated from various sources.
According to our incomplete analysis of information we have thus far, we now publish our regular reports, with some additional information.
As of this month, any responsible party that wishes to receive information about botnet C&C's in their net space can contact us and be added to our notification list.
This month's survey is of 3629 unique domain with port or IP with port suspect C&Cs. This list is extracted from the BBL which currently has a historical base of 4464 reported C&Cs. Of the suspect C&Cs surveyed, 920 reported as Open, 3115 reported as closed and 393 issued resets to the survey instrument. Of the C&Cs listed by domain name, 2080 are mitigated via remapping. 276 ASNs report one or more open C&Cs.
ASNs with 10 or more unresolved and open suspect C&Cs: ASNumber Responsible Party Count Open/Unresolved 21840 SAGONET-TPA - Sago Networks 53 34 30058 FDCSERVERS - FDCservers.net LL 65 32 30083 SERVER4YOU - Server4You Inc. 41 28 12832 LYCOS-EUROPE Lycos Europe GmbH 31 27 23522 CIT-FOONET - CREATIVE INTERNET 25 23 174 COGENT Cogent/PSI 45 23 13680 AS13680 Hostway Corporation Ta 22 22 6461 MFNX MFN - Metromedia Fiber Ne 23 18 27595 ATRIVO-AS - Atrivo 27 16 15083 INFOLINK-MIA-US - Infolink Inf 19 15 4766 KIXS-AS-KR Korea Telecom 41 15 8560 SCHLUND-AS Schlund + Partner A 28 14 27645 ASN-NA-MSG-01 - Managed Soluti 19 12 13237 LAMBDANET-AS European Backbone 15 12 1113 TUGNET Technische Universitaet 12 11 13301 UNITEDCOLO-AS Autonomous Syste 16 11 6939 HURRICANE - Hurricane Electric 12 10 16265 LEASEWEB LEASEWEB AS 13 10 21698 NEBRIX-CA - Nebrix Communicati 25 10
Top 10 ASNs by total count: ASNumber Responsible Party Count Open/Unresolved 14742 INTERNAP-BLOCK-4 - Internap Ne 118 1 14744 INTERNAP-BLOCK-4 - Internap Ne 118 1 25761 STAMINUS-COMM - Staminus Commu 69 25 10913 INTERNAP-BLK - Internap Networ 67 1 30058 FDCSERVERS - FDCservers.net LL 65 32 21840 SAGONET-TPA - Sago Networks 53 34 174 COGENT Cogent/PSI 45 23 4766 KIXS-AS-KR Korea Telecom 41 15 30083 SERVER4YOU - Server4You Inc. 41 28 3356 LEVEL3 Level 3 Communications 37 2
ASNs with 0ne or more open C&Cs: ASNumber Responsible Party 81 CONCERT - MCNC Center of Commu 174 COGENT Cogent/PSI 237 MERIT-AS-14 - Merit Network In 701 ALTERNET-AS - UUNET Technologi 790 EUNETFI EUnet Finland 813 UUNET-AS1 - UUNET Technologies 1113 TUGNET Technische Universitaet 1221 ASN-TELSTRA Telstra Pty Ltd 1239 SPRINTLINK - Sprint 1267 ASN-INFOSTRADA Infostrada S.p. 1659 ERX-TANET-ASN1 Tiawan Academic 1668 AOL-ATDN - AOL Transit Data Ne 1784 GNAPS - Global NAPs Networks 1785 USLEC-ASN-1785 - USLEC Corp. 1955 HBONE-AS HUNGARNET 2042 ERX-JARING Malaysian institute 2108 CARNET-AS Croatian Academic an 2119 TELENOR-NEXTEL Telenor Interne 2501 JPNIC-ASBLOCK-AP JPNIC 2514 JPNIC-ASBLOCK-AP JPNIC 2527 JPNIC-ASBLOCK-AP JPNIC 2828 XO-AS15 - XO Communications 2856 BT-UK-AS BTnet UK Regional net 2907 ERX-SINET-AS National Center f 2914 VERIO - Verio Inc. 3064 AFFINITY-FTL - Affinity Intern 3215 AS3215 France Telecom Transpac 3246 TDCSONG TDC Song 3248 SIL-AT SILVER:SERVER GmbH 3265 XS4ALL-NL XS4ALL 3292 TDC TDC Data Networks 3301 TELIANET-SWEDEN TeliaNet Swede 3307 BANETELE-NORWAY BaneTele AS (f 3313 INET-AS I.NET S.p.A. 3344 KEWLIO-DOT-NET Kewlio.net Limi 3352 TELEFONICA-DATA-ESPANA Interne 3356 LEVEL3 Level 3 Communications 3462 HINET Data Communication Busin 3491 BTN-ASN - Beyond The Network A 3561 SAVVIS - Savvis 3701 NERONET - Oregon Joint Graduat 3758 ERX-SINGNET SingNet 3786 ERX-DACOMNET DACOM Corporation 3801 MISNET - Mikrotec Internet Ser 4134 CHINANET-BACKBONE No.31 Jin-ro 4230 Embratel 4436 AS-NLAYER - nLayer Communicati 4589 EASYNET Easynet Group Plc 4618 INET-TH-AS Internet Thailand C 4628 ASN-PACIFIC-INTERNET-IX Pacifi 4637 REACH Reach Network Border AS 4645 ASN-HKNET-AP HKNet Co. Ltd 4670 HYUNDAI-KR Shinbiro 4713 OCN NTT Communications Corpora 4732 DION KDDI CORPORATION 4766 KIXS-AS-KR Korea Telecom 4780 SEEDNET Digital United Inc. 4812 CHINANET-SH-AP China Telecom ( 4837 CHINA169-BACKBONE CNCGROUP Chi 5089 NTL NTL Group Limited 5381 POWTECH-AS PowerTech Informati 5390 EURONET Wanadoo Nederland BV G 5417 DEMON-NL Demon Netherlands Th 5462 CABLEINET Telewest Broadband 5486 Euronet Digital Communications 5522 OMNITEL PLC OMNITEL 5617 TPNET Polish Telecom's commerc 5783 KCSOS-NET - Kern County Superi 6058 NWT-AS - Internet North 6079 RCN-AS - RCN Corporation 6128 CABLE-NET-1 - Cablevision Syst 6197 BATI-ATL - BellSouth Network S 6295 WHIDBEY1 - Whidbey Internet Se 6327 SHAW - Shaw Communications Inc 6380 BELLSOUTH-NET-BLK - BellSouth. 6383 BELLSOUTH-NET-BLK - BellSouth. 6385 BELLSOUTH-NET-BLK - BellSouth. 6388 BELLSOUTH-NET-BLK - BellSouth. 6412 KW Gulfnet International 6453 GLOBEINTERNET Teleglobe Americ 6461 MFNX MFN - Metromedia Fiber Ne 6467 ESPIRECOMM - e.spire Communica 6711 HUNGARNET-SZEGED Szeged Univer 6805 TDDE-ASN1 Telefonica Deutschla 6939 HURRICANE - Hurricane Electric 7011 FRONTIER-AND-CITIZENS - Electr 7015 CCCH-AS2 - Comcast Cable Commu 7018 ATT-INTERNET4 - AT&T WorldNet 7132 SBIS-AS - SBC Internet Service 7303 Telecom Argentina S.A. 7701 CAIRNSNET-AS-AP CairnsNet Pty 7893 BELLSOUTH-NET-BLK2 - Bellsouth 8001 NET-ACCESS-CORP - Net Access C 8047 GCI - GCI Communications Inc. 8120 BESTWEB - BestWeb Corporation 8151 Uninet S.A. de C.V. 8176 NETSCAPE-ASN - Netscape 8220 COLT COLT Telecommunications 8326 PL-BYDMAN-EDU Educational User 8342 RTCOMM-AS RTComm.RU Autonomous 8362 NordNet Autonomous System 8434 TELENOR-SE Telenor AB 8551 BEZEQ-INTERNATIONAL-AS Bezeqin 8560 SCHLUND-AS Schlund + Partner A 8642 B2 B2 Bredband AB (publ) 8732 COMCOR-AS AS for Moscow Teleco 8736 GNS Grapes Network Services 8752 ASVT-NETWORK RusSDO Autonomous 8943 JUMP Jump Networks Ltd. 8968 Albacom Autonomous System 8972 INTERGENIA-ASN intergenia auto 8992 TELERING-AT tele.ring Telekom 9044 SOLNET SolNet Internet Solutio 9105 TISCALI-UK Tiscali UK 9116 Goldenlines main autonomous sy 9121 TTNET TTnet Autonomous System 9277 THRUNET-AS-KR THRUNET 9317 ITISNET-AS Inha University 9318 HANARO-AS HANARO Telecom 9768 PUBNET1-AS KT 9800 UNICOM CHINA UNICOM 9803 JINGXUN Beijing Jingxun Public 9806 BJENET Beijing Educational Inf 9811 BJGY srit corp. beijing. 9848 GNGAS GNG Networks 9919 NCIC-TW New Century InfoComm T 9924 TFN-TW Taiwan Fixed Network T 10212 GUANGTONGNET-AP China Guangzho 10481 Prima S.A. 10602 TDL - THE DIAMOND LANE 10913 INTERNAP-BLK - Internap Networ 11191 ELITE-NET - Elite.Net 11290 RAPIDUS - COGECO Cable Canada 11305 INTERLAND-NET1 - Interland Inc 11351 RR-NYSREGION-ASN-01 - Road Run 11388 MAXIM - Interland 11426 SCRR-11426 - Road Runner 11814 IGS-GTA - Information Gateway 12322 PROXAD AS for Proxad ISP 12352 WINEASY WinEasy Autonomous Sys 12363 DADA S.p.a. 12578 APOLLO-AS LATTELEKOM-APOLLO 12634 SCARLET Autonomous System for 12695 DINET-AS Digital Network JSC 12832 LYCOS-EUROPE Lycos Europe GmbH 12843 TELEMAXX TelemaxX Telekommunik 12859 NL-BIT BIT BV 12867 ONLINE-BG BULGARIA ONLINE 12874 FASTWEB Fastweb Autonomous Sys 12880 DCI-AS DCI Autonomous System 13213 UK2NET-AS UK-2 Ltd Autonomous 13237 LAMBDANET-AS European Backbone 13272 STARMAN Starman Internet AS 13301 UNITEDCOLO-AS Autonomous Syste 13571 VIDEOTRON-LTEE - Videotron lte 13609 CHOICEONECOM - Choice One Comm 13680 AS13680 Hostway Corporation Ta 13726 VISION-I-SYSTEMS-ASN - Vision 13749 EVERYONES-INTERNET - Everyones 13768 PEER1 - Peer 1 Network Inc. 14501 CIHOST - C I Host 14562 SHAW-COMMUNICATIONS - Shaw Com 14742 INTERNAP-BLOCK-4 - Internap Ne 14744 INTERNAP-BLOCK-4 - Internap Ne 15083 INFOLINK-MIA-US - Infolink Inf 15149 EZZI-101-BGP - EZZI.net 15440 AS15440 MicroLink Lietuva Auto 15542 ZEELANDNET ZeelandNet BV 15589 AS15589 Eutelia S.p.A. Backbon 15694 ATMAN ATMAN Autonomous System 15703 TRUESERVER-AS TrueServer BV AS 15857 DIALOG-AS DIALOG-NET Autonomuo 16150 PORT80 Port80 AB Sweden 16265 LEASEWEB LEASEWEB AS 16276 OVH OVH 16526 BIRCH-TELECOM - Birch Telecom 16557 RE-STAFFORD - R. E. Stafford I 16629 Compania de Telecomunicaciones 17054 SLC-EXPEDIENT - e-xpedient 17184 ATL-CBEYOND - CBEYOND COMMUNIC 17444 NWT-AS-AP AS number for New Wo 17506 JPNIC-JP-ASN-BLOCK Japan Netwo 17557 PKTELECOM-AS-AP Pakistan Telec 17676 JPNIC-JP-ASN-BLOCK Japan Netwo 17964 DXTNET Beijing Dian-Xin-Tong N 17974 TELKOMNET-AS2-AP PT TELEKOMUNI 18474 AENEAS-CWUS - Aeneas Internet 18847 NETFIRE - NetFire.com 19262 VZGNI-TRANSIT - Verizon Intern 19444 CHARTER-STL - CHARTER COMMUNIC 19864 O1COMM - O1 COMMUNICATIONS 20001 ROADRUNNER-WEST - Road Runner 20013 CYRUSONE - CYRUS ONE 20115 CHARTER-NET-HKY-NC - Charter C 20141 EDELTACOM-SUW-300 - e^deltacom 20183 VERICENTER - VeriCenter Inc. 20473 NETTRANS - NetTransactions LL 20495 WEDARE We Dare BV Autonomous S 20580 Telecom Italia Network 20804 ASN-TELENERGO EXATEL S.A. Auto 20932 SIG SIG - IP-MAN.NET 21195 DGCSYSTEMS DGC Systems AB Auto 21285 DKOM Telekom Austria Applicati 21502 ASN-NUMERICABLE NUMERICABLE is 21698 NEBRIX-CA - Nebrix Communicati 21788 NOC - Network Operations Cente 21840 SAGONET-TPA - Sago Networks 21844 THEPLANET-AS - THE PLANET 21889 RAPIDSYSTEMS - Rapid Systems C 22659 LIQUIDIX - LIQUID COMMUNICATIO 22685 QUICKPACKET - Plusweb Communic 22773 CCINET-2 - Cox Communications 22822 LLNW - Limelight Networks LLC 22909 DNEO-OSP1 - Comcast Cable Comm 22927 Telefonica de Argentina 22935 WAYNE-BOCES - Wayne Finger-Lak 23183 SWIFTSYSTEMS - SWIFT SYSTEMS 23201 Telecel S.A. 23352 SERVER-CENTRAL-CHI - Server Ce 23393 ISPRIME - ISPrime Inc. 23522 CIT-FOONET - CREATIVE INTERNET 23670 SECURE-AS Oz Servers Data Cen 23980 YOUNGNAM-UNIV-AS-AP YOUNGNAM U 24607 LENET "Lietuvos energija" JSC 24730 ASN-NETHOLDING Autonomous Syst 24953 ASN-CARRIER66 carrier66.net Ne 25504 CRONON-AS Cronon AG 25525 REASONNET-AS Reasonnet LTD 25653 PEGASUS - Pegasus Web Technolo 25700 SWIFTDESK - SWIFTDESK VENTURE 25761 STAMINUS-COMM - Staminus Commu 25973 MZIMA - Mzima Networks Inc. 26053 DREAMNET-C-S-I - DreamNet Comm 26496 PAH-INC - Go Daddy Software I 27524 NETSENTRY - Net Sentry Corp 27595 ATRIVO-AS - Atrivo 27645 ASN-NA-MSG-01 - Managed Soluti 28677 AMEN AMEN Network 28716 EPLANET-AS ePLANET SPA 28753 NETDIRECT AS NETDIRECT Frankfu 29055 PRODIGY-AS Prodigy ASN 29131 RAPIDSWITCH-AS RapidSwitch Ltd 29415 EUROWAN-ASN OVANET - EuroWan d 29550 EUROCONNEX-AS Euroconnex Netwo 29737 WOW-INTERNET - WideOpenWest LL 29748 CARPATHIA-HOSTING - Carpathia 29759 OXFORD-INDUSTRIES - Oxford Ind 30058 FDCSERVERS - FDCservers.net LL 30083 SERVER4YOU - Server4You Inc. 30099 SB-2 - ServerBeach 30315 EVERYONES-INTERNET2 - Everyone 30407 VELCOM - Rcp.net 30736 EASYSPEEDY-NETWORK Easyspeedy 30943 UTRANSIT-AS Utransit Internati 31034 ARUBA-ASN Aruba.it Network 31042 SERBIA-BROADBAND-AS Serbia Bro 31159 NETCATHOST-AS NetcatHosting 31216 BSOCOM BSO Communication Netwo 31400 AS31400 AS31400.NET BACKBONE 31669 ITSS-AS IT - SOLID SOLUTIONS 31800 DALNET - DALnet 31898 NAMEI - Name Intelligence Inc 31932 AFS-KC - American Fiber System 32097 WII-KC - WholeSale Internet 32666 CWRU-AS-1 - Case Western Reser 32748 STEADFAST - NoZone Inc. 32751 NUCLEARFALLOUT-SEA - Nuclearfa 32788 XILOGIX-ASN - Xilogix LLC 33438 EASYNEWS - Easynews Inc. 33569 ALLHOSTSHOP - ALLHOSTSHOP.COM 33657 DNEO-OSP7 - Comcast Cable Comm 34021 MULTI-VISP Multi-vISP Network 34465 BENESOL-AS Belgian Network Sol 34549 LAXIN-AS Laxin IT-Services Gmb 35921 IFCI-US - InternetFCI LLC
* We would gladly like to establish a trusted relationship with these and any organizations to help them in the future.
* By previous requests here is an explanation of what "ASN" is, by Joe St Sauver: http://darkwing.uoregon.edu/~joe/one-pager-asn.pdf
The Trojan horses most used in botnets:
1. Korgobot. 2. SpyBot. 3. Optix Pro. 4. rBot. 5. Other SpyBot variants and strains (AgoBot, PhatBot, actual SDbots, etc.).
This report is unchanged.
Credit for gathering the data and compiling the statistics from our group efforts should go to the Statistics Project lead: Prof. Randal Vaughn <Randy_Vaughn@baylor.edu>
-- Gadi Evron, Israeli Government CERT Manager, Tehila, Ministry of Finance.
gadi@CERT.gov.il Office: +972-2-5317890 Fax: +972-2-5317801
The opinions, views, facts or anything else expressed in this email message are not necessarily those of the Israeli Government.
participants (1)
-
Hannigan, Martin