nanog mailing list archives
drone armies C&C report - June/2005
From: Gadi Evron <gadi () tehila gov il>
Date: Mon, 04 Jul 2005 14:17:09 +0300
Below is a periodic public report from the drone armies / botnets research and mitigation mailing list. For this report it should be noted that we base our analysis on the data we have accumulated from various sources. According to our incomplete analysis of information we have thus far, we now publish our regular reports, with some additional statistics.We changed our report this month to reflect past data, and try to ascertain from our own experience response rates to botnet reports.
This month we would once again like to commend Staminus and Internap, who continually surprise us with their immediate response to our reports. The numbers speak for themselves.
A couple of other notable ISP's we rarely mention (because they were never a problem) are AOL and Comcast. Comcast has been with us since the start and has shown nothing but seriousness. AOL are continuously ahead of the curve, which is something I personally am close to adoring.
The most impressive turn-about change in behavior though came from ThePlanet, who investigate and eliminate any botnet C&C they encounter in record time up to the point where they no longer appear in our monthly reports - where they used to have a revered seat at the top.
The report summary includes a Percent Resolved Column in order to recognize the mitigation efforts of the AS Responsible Parties. The Opens Unresolved column represents the number of unique C&C which reported as open to the survey's connection attempts and which have neither been investigated nor cleared by the Responsible Party (to the extent of our knowledge). The Mapping count may include multiple names mapping to a single IP within an AS. We count each mapping count as a unique C&C.
AS responsible Parties ranked by top Opens UnresolvedResponsible Party Mapping Opens Percent
Count Unresolved Resolved
SERVER4YOU - Server4You Inc. 49 37 24
UNITEDCOLO-AS Autonomous Syste 44 36 18
SAGONET-TPA - Sago Networks 80 32 60
MFNX MFN - Metromedia Fiber Ne 61 28 54
NOC - Network Operations Cente 39 27 31
AS13680 Hostway Corporation Ta 22 22 0
FDCSERVERS - FDCservers.net LL 42 19 55
NEBRIX-CA - Nebrix Communicati 33 16 52
ASN-NA-MSG-01 - Managed Soluti 31 14 55
LAMBDANET-AS European Backbone 15 14 7
INFOLINK-MIA-US - Infolink Inf 28 13 54
LYCOS-EUROPE Lycos Europe GmbH 17 13 24
Historical Report ranked by past suspect C&Cs mapping into the AS:
Responsible Party Mapping Opens Percent
Count Unresolved Resolved
SAGONET-TPA - Sago Networks 80 32 60
MFNX MFN - Metromedia Fiber Ne 61 28 54
STAMINUS-COMM - Staminus Commu 56 0 100
INTERNAP-BLOCK-4 - Internap Ne 54 0 100
INTERNAP-BLK - Internap Networ 52 0 100
SERVER4YOU - Server4You Inc. 49 37 24
UNITEDCOLO-AS Autonomous Syste 44 36 18
FDCSERVERS - FDCservers.net LL 42 19 55
NOC - Network Operations Cente 39 27 31
KIXS-AS-KR Korea Telecom 33 8 76
NEBRIX-CA - Nebrix Communicati 33 16 52
ASN-NA-MSG-01 - Managed Soluti 31 14 55
* We would gladly like to establish a trusted relationship with
these and any organizations to help them in the future.
* By previous requests here is an explanation of what "ASN" is, by Joe
St Sauver:
http://darkwing.uoregon.edu/~joe/one-pager-asn.pdf
The Trojan horses most used in botnets:
1. Korgobot.
2. SpyBot.
3. Optix Pro.
4. rBot.
5. Other SpyBot variants and strains (AgoBot, PhatBot, actual SDbots,
etc.).
This report is unchanged.
Credit for gathering the data and compiling the statistics from our
group efforts should go to the Statistics Project lead:
Prof. Randal Vaughn <Randy_Vaughn () baylor edu> -- Gadi Evron, Israeli Government CERT Manager, Tehila, Ministry of Finance. gadi () CERT gov il Office: +972-2-5317890 Fax: +972-2-5317801 The opinions, views, facts or anything else expressed in this email message are not necessarily those of the Israeli Government.
Current thread:
- drone armies C&C report - June/2005 Gadi Evron (Jul 04)