drone armies C&C report - March/2005
Below is a periodic public report from the drone armies / botnets research and mitigation mailing list. For this report it should be noted that we base our analysis on the data we have accumulated from various sources. According to our incomplete analysis of information we have thus far, we now publish two reports. The ISP's that are most often plagued with botnet C&C's (command & control) are, by the order listed: ---------------------------------- Top 13 with open non-resolved suspect C&Cs ASN Responsible Party Unique IPs Open-unresolved 21840 SAGONET-TPA - Sago Networks 31-40 11-15 25761 STAMINUS-COMM - Staminus Commu 16-20 11-15 27595 ATRIVO-AS - Atrivo 6-10 6-10 27654 ASN-NA-MSG-01 - Managed Soluti 6-10 3-5 17676 JPNIC-JP-ASN-BLOCK Japan Netwo 6-10 3-5 16625 LEASEWEB LEASEWEB AS 3-5 3-5 4713 OCN NTT Communications Corpora 6-10 3-5 8551 BEZEQ-INTERNATIONAL-AS Bezeqin 3-5 3-5 13749 EVERYONES-INTERNET - Everyones 3-5 3-5 4766 KIXS-AS-KR Korea Telecom 6-10 3-5 21788 NOC - Network Operations Cente 6-10 3-5 13301 UNITEDCOLO-AS Autonomous Syste 3-5 3-5 6517 YIPESCOM - Yipes Communication 6-10 3-5 Top 10 frequently listed without regard to state ASN Responsible Party Unique IPs 21840 SAGONET-TPA - Sago Networks 31-40 25761 STAMINUS-COMM - Staminus Commu 16-20 {10913,13790,19024,14744} INTERNAP Internap 11-15 {13884,21844} THEPLANET-AS - THE PLANET 11-15 27654 ASN-NA-MSG-01 - Managed Soluti 6-10 4766 KIXS-AS-KR Korea Telecom 6-10 4713 OCN NTT Communications Corpora 6-10 17676 JPNIC-JP-ASN-BLOCK Japan Netwo 6-10 3356 LEVEL3 Level 3 Communications 6-10 Unresolved open IPs for top 10. ASN Responsible Party Open-unresolved. 21840 SAGONET-TPA - Sago Networks 11-15 25761 STAMINUS-COMM - Staminus Commu 6-10 {10913,13790,19024,14744} INTERNAP Internap 1-3 {13884,21844} THEPLANET-AS - THE PLANET 1-3 27654 ASN-NA-MSG-01 - Managed Soluti 3-5 4766 KIXS-AS-KR Korea Telecom 3-5 4713 OCN NTT Communications Corpora 3-5 17676 JPNIC-JP-ASN-BLOCK Japan Netwo 3-5 3356 LEVEL3 Level 3 Communications 1-3 * We would gladly like to establish a trusted relationship with these and any organizations to help them in the future. * We would especially like to note the serious and prompt response by PNAP, as well as the serious efforts made by The Planet. * By previous requests here is an explanation of what "ASN" is, by Joe St Sauver: http://darkwing.uoregon.edu/~joe/one-pager-asn.pdf * Clarification: the definition of "count" is how many C&C servers are located at said AS. We replaced it to be called "Unique IPs" and "Open-unresolved" accordingly. The Trojan horses most used in botnets: --------------------------------------- 1. Korgobot. 2. SpyBot. 3. Optix Pro. 4. rBot. 5. Other SpyBot variants and strains (AgoBot, PhatBot, actual SDbots, etc.). * There seems to be an increase in Energymechs used for botnets running on *nix machines. -- Gadi Evron, Information Security Manager, Project Tehila - Israeli Government Internet Security. Ministry of Finance, Israel. gadi@tehila.gov.il gadi@CERT.gov.il Office: +972-2-5317890 Fax: +972-2-5317801 http://www.tehila.gov.il The opinions, views, facts or anything else expressed in this email message are not necessarily those of the Israeli Government.
participants (1)
-
Gadi Evron