drone armies C&C report - July/2005
Hannigan, Martin
hannigan at verisign.com
Mon Aug 15 21:05:34 UTC 2005
The question of self promotion came back split down
the middle.
It was noted that IL CERT does a fantastic job seeing that
there are no IL networks listed. Or none that are easily
identifiable.
YMMV.
-M<
--
Martin Hannigan (c) 617-388-2663
VeriSign, Inc. (w) 703-948-7018
Network Engineer IV Operations & Infrastructure
hannigan at verisign.com
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu]On Behalf Of
> Gadi Evron
> Sent: Monday, August 15, 2005 8:22 AM
> To: nanog at merit.edu
> Subject: drone armies C&C report - July/2005
>
>
>
> Below is a periodic public report from the drone armies / botnets
> research and mitigation mailing list.
> For this report it should be noted that we base our analysis
> on the data
> we have accumulated from various sources.
>
> According to our incomplete analysis of information we have
> thus far, we
> now publish our regular reports, with some additional information.
>
>
> As of this month, any responsible party that wishes to receive
> information about botnet C&C's in their net space can contact
> us and be
> added to our notification list.
>
>
> This month's survey is of 3629 unique domain with port or IP with port
> suspect C&Cs. This list is extracted from the BBL which currently has
> a historical base of 4464 reported C&Cs. Of the suspect C&Cs surveyed,
> 920 reported as Open, 3115 reported as closed and 393 issued resets to
> the survey instrument. Of the C&Cs listed by domain name, 2080 are
> mitigated via remapping. 276 ASNs report one or more open C&Cs.
>
>
> ASNs with 10 or more unresolved and open suspect C&Cs:
> ASNumber Responsible Party Count Open/Unresolved
> 21840 SAGONET-TPA - Sago Networks 53 34
> 30058 FDCSERVERS - FDCservers.net LL 65 32
> 30083 SERVER4YOU - Server4You Inc. 41 28
> 12832 LYCOS-EUROPE Lycos Europe GmbH 31 27
> 23522 CIT-FOONET - CREATIVE INTERNET 25 23
> 174 COGENT Cogent/PSI 45 23
> 13680 AS13680 Hostway Corporation Ta 22 22
> 6461 MFNX MFN - Metromedia Fiber Ne 23 18
> 27595 ATRIVO-AS - Atrivo 27 16
> 15083 INFOLINK-MIA-US - Infolink Inf 19 15
> 4766 KIXS-AS-KR Korea Telecom 41 15
> 8560 SCHLUND-AS Schlund + Partner A 28 14
> 27645 ASN-NA-MSG-01 - Managed Soluti 19 12
> 13237 LAMBDANET-AS European Backbone 15 12
> 1113 TUGNET Technische Universitaet 12 11
> 13301 UNITEDCOLO-AS Autonomous Syste 16 11
> 6939 HURRICANE - Hurricane Electric 12 10
> 16265 LEASEWEB LEASEWEB AS 13 10
> 21698 NEBRIX-CA - Nebrix Communicati 25 10
>
>
> Top 10 ASNs by total count:
> ASNumber Responsible Party Count
> Open/Unresolved
> 14742 INTERNAP-BLOCK-4 - Internap Ne 118 1
> 14744 INTERNAP-BLOCK-4 - Internap Ne 118 1
> 25761 STAMINUS-COMM - Staminus Commu 69 25
> 10913 INTERNAP-BLK - Internap Networ 67 1
> 30058 FDCSERVERS - FDCservers.net LL 65 32
> 21840 SAGONET-TPA - Sago Networks 53 34
> 174 COGENT Cogent/PSI 45 23
> 4766 KIXS-AS-KR Korea Telecom 41 15
> 30083 SERVER4YOU - Server4You Inc. 41 28
> 3356 LEVEL3 Level 3 Communications 37 2
>
>
> ASNs with 0ne or more open C&Cs:
> ASNumber Responsible Party
> 81 CONCERT - MCNC Center of Commu
> 174 COGENT Cogent/PSI
> 237 MERIT-AS-14 - Merit Network In
> 701 ALTERNET-AS - UUNET Technologi
> 790 EUNETFI EUnet Finland
> 813 UUNET-AS1 - UUNET Technologies
> 1113 TUGNET Technische Universitaet
> 1221 ASN-TELSTRA Telstra Pty Ltd
> 1239 SPRINTLINK - Sprint
> 1267 ASN-INFOSTRADA Infostrada S.p.
> 1659 ERX-TANET-ASN1 Tiawan Academic
> 1668 AOL-ATDN - AOL Transit Data Ne
> 1784 GNAPS - Global NAPs Networks
> 1785 USLEC-ASN-1785 - USLEC Corp.
> 1955 HBONE-AS HUNGARNET
> 2042 ERX-JARING Malaysian institute
> 2108 CARNET-AS Croatian Academic an
> 2119 TELENOR-NEXTEL Telenor Interne
> 2501 JPNIC-ASBLOCK-AP JPNIC
> 2514 JPNIC-ASBLOCK-AP JPNIC
> 2527 JPNIC-ASBLOCK-AP JPNIC
> 2828 XO-AS15 - XO Communications
> 2856 BT-UK-AS BTnet UK Regional net
> 2907 ERX-SINET-AS National Center f
> 2914 VERIO - Verio Inc.
> 3064 AFFINITY-FTL - Affinity Intern
> 3215 AS3215 France Telecom Transpac
> 3246 TDCSONG TDC Song
> 3248 SIL-AT SILVER:SERVER GmbH
> 3265 XS4ALL-NL XS4ALL
> 3292 TDC TDC Data Networks
> 3301 TELIANET-SWEDEN TeliaNet Swede
> 3307 BANETELE-NORWAY BaneTele AS (f
> 3313 INET-AS I.NET S.p.A.
> 3344 KEWLIO-DOT-NET Kewlio.net Limi
> 3352 TELEFONICA-DATA-ESPANA Interne
> 3356 LEVEL3 Level 3 Communications
> 3462 HINET Data Communication Busin
> 3491 BTN-ASN - Beyond The Network A
> 3561 SAVVIS - Savvis
> 3701 NERONET - Oregon Joint Graduat
> 3758 ERX-SINGNET SingNet
> 3786 ERX-DACOMNET DACOM Corporation
> 3801 MISNET - Mikrotec Internet Ser
> 4134 CHINANET-BACKBONE No.31 Jin-ro
> 4230 Embratel
> 4436 AS-NLAYER - nLayer Communicati
> 4589 EASYNET Easynet Group Plc
> 4618 INET-TH-AS Internet Thailand C
> 4628 ASN-PACIFIC-INTERNET-IX Pacifi
> 4637 REACH Reach Network Border AS
> 4645 ASN-HKNET-AP HKNet Co. Ltd
> 4670 HYUNDAI-KR Shinbiro
> 4713 OCN NTT Communications Corpora
> 4732 DION KDDI CORPORATION
> 4766 KIXS-AS-KR Korea Telecom
> 4780 SEEDNET Digital United Inc.
> 4812 CHINANET-SH-AP China Telecom (
> 4837 CHINA169-BACKBONE CNCGROUP Chi
> 5089 NTL NTL Group Limited
> 5381 POWTECH-AS PowerTech Informati
> 5390 EURONET Wanadoo Nederland BV G
> 5417 DEMON-NL Demon Netherlands Th
> 5462 CABLEINET Telewest Broadband
> 5486 Euronet Digital Communications
> 5522 OMNITEL PLC OMNITEL
> 5617 TPNET Polish Telecom's commerc
> 5783 KCSOS-NET - Kern County Superi
> 6058 NWT-AS - Internet North
> 6079 RCN-AS - RCN Corporation
> 6128 CABLE-NET-1 - Cablevision Syst
> 6197 BATI-ATL - BellSouth Network S
> 6295 WHIDBEY1 - Whidbey Internet Se
> 6327 SHAW - Shaw Communications Inc
> 6380 BELLSOUTH-NET-BLK - BellSouth.
> 6383 BELLSOUTH-NET-BLK - BellSouth.
> 6385 BELLSOUTH-NET-BLK - BellSouth.
> 6388 BELLSOUTH-NET-BLK - BellSouth.
> 6412 KW Gulfnet International
> 6453 GLOBEINTERNET Teleglobe Americ
> 6461 MFNX MFN - Metromedia Fiber Ne
> 6467 ESPIRECOMM - e.spire Communica
> 6711 HUNGARNET-SZEGED Szeged Univer
> 6805 TDDE-ASN1 Telefonica Deutschla
> 6939 HURRICANE - Hurricane Electric
> 7011 FRONTIER-AND-CITIZENS - Electr
> 7015 CCCH-AS2 - Comcast Cable Commu
> 7018 ATT-INTERNET4 - AT&T WorldNet
> 7132 SBIS-AS - SBC Internet Service
> 7303 Telecom Argentina S.A.
> 7701 CAIRNSNET-AS-AP CairnsNet Pty
> 7893 BELLSOUTH-NET-BLK2 - Bellsouth
> 8001 NET-ACCESS-CORP - Net Access C
> 8047 GCI - GCI Communications Inc.
> 8120 BESTWEB - BestWeb Corporation
> 8151 Uninet S.A. de C.V.
> 8176 NETSCAPE-ASN - Netscape
> 8220 COLT COLT Telecommunications
> 8326 PL-BYDMAN-EDU Educational User
> 8342 RTCOMM-AS RTComm.RU Autonomous
> 8362 NordNet Autonomous System
> 8434 TELENOR-SE Telenor AB
> 8551 BEZEQ-INTERNATIONAL-AS Bezeqin
> 8560 SCHLUND-AS Schlund + Partner A
> 8642 B2 B2 Bredband AB (publ)
> 8732 COMCOR-AS AS for Moscow Teleco
> 8736 GNS Grapes Network Services
> 8752 ASVT-NETWORK RusSDO Autonomous
> 8943 JUMP Jump Networks Ltd.
> 8968 Albacom Autonomous System
> 8972 INTERGENIA-ASN intergenia auto
> 8992 TELERING-AT tele.ring Telekom
> 9044 SOLNET SolNet Internet Solutio
> 9105 TISCALI-UK Tiscali UK
> 9116 Goldenlines main autonomous sy
> 9121 TTNET TTnet Autonomous System
> 9277 THRUNET-AS-KR THRUNET
> 9317 ITISNET-AS Inha University
> 9318 HANARO-AS HANARO Telecom
> 9768 PUBNET1-AS KT
> 9800 UNICOM CHINA UNICOM
> 9803 JINGXUN Beijing Jingxun Public
> 9806 BJENET Beijing Educational Inf
> 9811 BJGY srit corp. beijing.
> 9848 GNGAS GNG Networks
> 9919 NCIC-TW New Century InfoComm T
> 9924 TFN-TW Taiwan Fixed Network T
> 10212 GUANGTONGNET-AP China Guangzho
> 10481 Prima S.A.
> 10602 TDL - THE DIAMOND LANE
> 10913 INTERNAP-BLK - Internap Networ
> 11191 ELITE-NET - Elite.Net
> 11290 RAPIDUS - COGECO Cable Canada
> 11305 INTERLAND-NET1 - Interland Inc
> 11351 RR-NYSREGION-ASN-01 - Road Run
> 11388 MAXIM - Interland
> 11426 SCRR-11426 - Road Runner
> 11814 IGS-GTA - Information Gateway
> 12322 PROXAD AS for Proxad ISP
> 12352 WINEASY WinEasy Autonomous Sys
> 12363 DADA S.p.a.
> 12578 APOLLO-AS LATTELEKOM-APOLLO
> 12634 SCARLET Autonomous System for
> 12695 DINET-AS Digital Network JSC
> 12832 LYCOS-EUROPE Lycos Europe GmbH
> 12843 TELEMAXX TelemaxX Telekommunik
> 12859 NL-BIT BIT BV
> 12867 ONLINE-BG BULGARIA ONLINE
> 12874 FASTWEB Fastweb Autonomous Sys
> 12880 DCI-AS DCI Autonomous System
> 13213 UK2NET-AS UK-2 Ltd Autonomous
> 13237 LAMBDANET-AS European Backbone
> 13272 STARMAN Starman Internet AS
> 13301 UNITEDCOLO-AS Autonomous Syste
> 13571 VIDEOTRON-LTEE - Videotron lte
> 13609 CHOICEONECOM - Choice One Comm
> 13680 AS13680 Hostway Corporation Ta
> 13726 VISION-I-SYSTEMS-ASN - Vision
> 13749 EVERYONES-INTERNET - Everyones
> 13768 PEER1 - Peer 1 Network Inc.
> 14501 CIHOST - C I Host
> 14562 SHAW-COMMUNICATIONS - Shaw Com
> 14742 INTERNAP-BLOCK-4 - Internap Ne
> 14744 INTERNAP-BLOCK-4 - Internap Ne
> 15083 INFOLINK-MIA-US - Infolink Inf
> 15149 EZZI-101-BGP - EZZI.net
> 15440 AS15440 MicroLink Lietuva Auto
> 15542 ZEELANDNET ZeelandNet BV
> 15589 AS15589 Eutelia S.p.A. Backbon
> 15694 ATMAN ATMAN Autonomous System
> 15703 TRUESERVER-AS TrueServer BV AS
> 15857 DIALOG-AS DIALOG-NET Autonomuo
> 16150 PORT80 Port80 AB Sweden
> 16265 LEASEWEB LEASEWEB AS
> 16276 OVH OVH
> 16526 BIRCH-TELECOM - Birch Telecom
> 16557 RE-STAFFORD - R. E. Stafford I
> 16629 Compania de Telecomunicaciones
> 17054 SLC-EXPEDIENT - e-xpedient
> 17184 ATL-CBEYOND - CBEYOND COMMUNIC
> 17444 NWT-AS-AP AS number for New Wo
> 17506 JPNIC-JP-ASN-BLOCK Japan Netwo
> 17557 PKTELECOM-AS-AP Pakistan Telec
> 17676 JPNIC-JP-ASN-BLOCK Japan Netwo
> 17964 DXTNET Beijing Dian-Xin-Tong N
> 17974 TELKOMNET-AS2-AP PT TELEKOMUNI
> 18474 AENEAS-CWUS - Aeneas Internet
> 18847 NETFIRE - NetFire.com
> 19262 VZGNI-TRANSIT - Verizon Intern
> 19444 CHARTER-STL - CHARTER COMMUNIC
> 19864 O1COMM - O1 COMMUNICATIONS
> 20001 ROADRUNNER-WEST - Road Runner
> 20013 CYRUSONE - CYRUS ONE
> 20115 CHARTER-NET-HKY-NC - Charter C
> 20141 EDELTACOM-SUW-300 - e^deltacom
> 20183 VERICENTER - VeriCenter Inc.
> 20473 NETTRANS - NetTransactions LL
> 20495 WEDARE We Dare BV Autonomous S
> 20580 Telecom Italia Network
> 20804 ASN-TELENERGO EXATEL S.A. Auto
> 20932 SIG SIG - IP-MAN.NET
> 21195 DGCSYSTEMS DGC Systems AB Auto
> 21285 DKOM Telekom Austria Applicati
> 21502 ASN-NUMERICABLE NUMERICABLE is
> 21698 NEBRIX-CA - Nebrix Communicati
> 21788 NOC - Network Operations Cente
> 21840 SAGONET-TPA - Sago Networks
> 21844 THEPLANET-AS - THE PLANET
> 21889 RAPIDSYSTEMS - Rapid Systems C
> 22659 LIQUIDIX - LIQUID COMMUNICATIO
> 22685 QUICKPACKET - Plusweb Communic
> 22773 CCINET-2 - Cox Communications
> 22822 LLNW - Limelight Networks LLC
> 22909 DNEO-OSP1 - Comcast Cable Comm
> 22927 Telefonica de Argentina
> 22935 WAYNE-BOCES - Wayne Finger-Lak
> 23183 SWIFTSYSTEMS - SWIFT SYSTEMS
> 23201 Telecel S.A.
> 23352 SERVER-CENTRAL-CHI - Server Ce
> 23393 ISPRIME - ISPrime Inc.
> 23522 CIT-FOONET - CREATIVE INTERNET
> 23670 SECURE-AS Oz Servers Data Cen
> 23980 YOUNGNAM-UNIV-AS-AP YOUNGNAM U
> 24607 LENET "Lietuvos energija" JSC
> 24730 ASN-NETHOLDING Autonomous Syst
> 24953 ASN-CARRIER66 carrier66.net Ne
> 25504 CRONON-AS Cronon AG
> 25525 REASONNET-AS Reasonnet LTD
> 25653 PEGASUS - Pegasus Web Technolo
> 25700 SWIFTDESK - SWIFTDESK VENTURE
> 25761 STAMINUS-COMM - Staminus Commu
> 25973 MZIMA - Mzima Networks Inc.
> 26053 DREAMNET-C-S-I - DreamNet Comm
> 26496 PAH-INC - Go Daddy Software I
> 27524 NETSENTRY - Net Sentry Corp
> 27595 ATRIVO-AS - Atrivo
> 27645 ASN-NA-MSG-01 - Managed Soluti
> 28677 AMEN AMEN Network
> 28716 EPLANET-AS ePLANET SPA
> 28753 NETDIRECT AS NETDIRECT Frankfu
> 29055 PRODIGY-AS Prodigy ASN
> 29131 RAPIDSWITCH-AS RapidSwitch Ltd
> 29415 EUROWAN-ASN OVANET - EuroWan d
> 29550 EUROCONNEX-AS Euroconnex Netwo
> 29737 WOW-INTERNET - WideOpenWest LL
> 29748 CARPATHIA-HOSTING - Carpathia
> 29759 OXFORD-INDUSTRIES - Oxford Ind
> 30058 FDCSERVERS - FDCservers.net LL
> 30083 SERVER4YOU - Server4You Inc.
> 30099 SB-2 - ServerBeach
> 30315 EVERYONES-INTERNET2 - Everyone
> 30407 VELCOM - Rcp.net
> 30736 EASYSPEEDY-NETWORK Easyspeedy
> 30943 UTRANSIT-AS Utransit Internati
> 31034 ARUBA-ASN Aruba.it Network
> 31042 SERBIA-BROADBAND-AS Serbia Bro
> 31159 NETCATHOST-AS NetcatHosting
> 31216 BSOCOM BSO Communication Netwo
> 31400 AS31400 AS31400.NET BACKBONE
> 31669 ITSS-AS IT - SOLID SOLUTIONS
> 31800 DALNET - DALnet
> 31898 NAMEI - Name Intelligence Inc
> 31932 AFS-KC - American Fiber System
> 32097 WII-KC - WholeSale Internet
> 32666 CWRU-AS-1 - Case Western Reser
> 32748 STEADFAST - NoZone Inc.
> 32751 NUCLEARFALLOUT-SEA - Nuclearfa
> 32788 XILOGIX-ASN - Xilogix LLC
> 33438 EASYNEWS - Easynews Inc.
> 33569 ALLHOSTSHOP - ALLHOSTSHOP.COM
> 33657 DNEO-OSP7 - Comcast Cable Comm
> 34021 MULTI-VISP Multi-vISP Network
> 34465 BENESOL-AS Belgian Network Sol
> 34549 LAXIN-AS Laxin IT-Services Gmb
> 35921 IFCI-US - InternetFCI LLC
>
> * We would gladly like to establish a trusted relationship with
> these and any organizations to help them in the future.
>
> * By previous requests here is an explanation of what "ASN" is, by Joe
> St Sauver:
> http://darkwing.uoregon.edu/~joe/one-pager-asn.pdf
>
>
> The Trojan horses most used in botnets:
>
> 1. Korgobot.
> 2. SpyBot.
> 3. Optix Pro.
> 4. rBot.
> 5. Other SpyBot variants and strains (AgoBot, PhatBot, actual SDbots,
> etc.).
>
> This report is unchanged.
>
>
> Credit for gathering the data and compiling the statistics from our
> group efforts should go to the Statistics Project lead:
> Prof. Randal Vaughn <Randy_Vaughn at baylor.edu>
>
> --
> Gadi Evron,
> Israeli Government CERT Manager,
> Tehila, Ministry of Finance.
>
> gadi at CERT.gov.il
> Office: +972-2-5317890
> Fax: +972-2-5317801
>
> The opinions, views, facts or anything else expressed in this email
> message are not necessarily those of the Israeli Government.
>
>
More information about the NANOG
mailing list