drone armies C&C report - June/2005
Below is a periodic public report from the drone armies / botnets research and mitigation mailing list. For this report it should be noted that we base our analysis on the data we have accumulated from various sources. According to our incomplete analysis of information we have thus far, we now publish our regular reports, with some additional statistics. We changed our report this month to reflect past data, and try to ascertain from our own experience response rates to botnet reports. This month we would once again like to commend Staminus and Internap, who continually surprise us with their immediate response to our reports. The numbers speak for themselves. A couple of other notable ISP's we rarely mention (because they were never a problem) are AOL and Comcast. Comcast has been with us since the start and has shown nothing but seriousness. AOL are continuously ahead of the curve, which is something I personally am close to adoring. The most impressive turn-about change in behavior though came from ThePlanet, who investigate and eliminate any botnet C&C they encounter in record time up to the point where they no longer appear in our monthly reports - where they used to have a revered seat at the top. The report summary includes a Percent Resolved Column in order to recognize the mitigation efforts of the AS Responsible Parties. The Opens Unresolved column represents the number of unique C&C which reported as open to the survey's connection attempts and which have neither been investigated nor cleared by the Responsible Party (to the extent of our knowledge). The Mapping count may include multiple names mapping to a single IP within an AS. We count each mapping count as a unique C&C. AS responsible Parties ranked by top Opens Unresolved Responsible Party Mapping Opens Percent Count Unresolved Resolved SERVER4YOU - Server4You Inc. 49 37 24 UNITEDCOLO-AS Autonomous Syste 44 36 18 SAGONET-TPA - Sago Networks 80 32 60 MFNX MFN - Metromedia Fiber Ne 61 28 54 NOC - Network Operations Cente 39 27 31 AS13680 Hostway Corporation Ta 22 22 0 FDCSERVERS - FDCservers.net LL 42 19 55 NEBRIX-CA - Nebrix Communicati 33 16 52 ASN-NA-MSG-01 - Managed Soluti 31 14 55 LAMBDANET-AS European Backbone 15 14 7 INFOLINK-MIA-US - Infolink Inf 28 13 54 LYCOS-EUROPE Lycos Europe GmbH 17 13 24 Historical Report ranked by past suspect C&Cs mapping into the AS: Responsible Party Mapping Opens Percent Count Unresolved Resolved SAGONET-TPA - Sago Networks 80 32 60 MFNX MFN - Metromedia Fiber Ne 61 28 54 STAMINUS-COMM - Staminus Commu 56 0 100 INTERNAP-BLOCK-4 - Internap Ne 54 0 100 INTERNAP-BLK - Internap Networ 52 0 100 SERVER4YOU - Server4You Inc. 49 37 24 UNITEDCOLO-AS Autonomous Syste 44 36 18 FDCSERVERS - FDCservers.net LL 42 19 55 NOC - Network Operations Cente 39 27 31 KIXS-AS-KR Korea Telecom 33 8 76 NEBRIX-CA - Nebrix Communicati 33 16 52 ASN-NA-MSG-01 - Managed Soluti 31 14 55 * We would gladly like to establish a trusted relationship with these and any organizations to help them in the future. * By previous requests here is an explanation of what "ASN" is, by Joe St Sauver: http://darkwing.uoregon.edu/~joe/one-pager-asn.pdf The Trojan horses most used in botnets: 1. Korgobot. 2. SpyBot. 3. Optix Pro. 4. rBot. 5. Other SpyBot variants and strains (AgoBot, PhatBot, actual SDbots, etc.). This report is unchanged. Credit for gathering the data and compiling the statistics from our group efforts should go to the Statistics Project lead: Prof. Randal Vaughn <Randy_Vaughn@baylor.edu> -- Gadi Evron, Israeli Government CERT Manager, Tehila, Ministry of Finance. gadi@CERT.gov.il Office: +972-2-5317890 Fax: +972-2-5317801 The opinions, views, facts or anything else expressed in this email message are not necessarily those of the Israeli Government.
participants (1)
-
Gadi Evron