drone armies C&C report - April/2005
Gadi Evron
gadi at tehila.gov.il
Thu May 5 09:23:49 UTC 2005
Below is a periodic public report from the drone armies / botnets
research and mitigation mailing list.
For this report it should be noted that we base our analysis on the data
we have accumulated from various sources.
According to our incomplete analysis of information we have thus far, we
now publish our regular two reports.
We have updated our algorithms and combined our main reports into one table.
This survey reflects an overall change in Responsible Party rankings.
We have established trusted relationships with Atrivo and The Planet.
In the case of The Planet these relationships have helped to achieve a
significant reduction in C&Cs with only 1 C&C reporting as active in The
Planet's space for this survey. Atrivo also responds to reported C&Cs.
PNAP and KrCert made an incredible progress. Sagonet has also requested
C&C information but is ranked in the top 4 Responsible parties for this
survey.
The ISP's that are most often plagued with botnet C&C's (command &
control) are, by the order listed:
----------------------------------
ASN Responsible Party Unique
open-unresolved
{10913, INTERNAP (Block4,2BLK,BLK) 60-79 1-5
12179
13790,
19024,
14744}
21840 SAGONET-TPA - Sago Networks 40-59 10-15
25761 STAMINUS-COMM - Staminus Commu 40-59 20-29
{13884, THEPLANET-AS - THE PLANET 20-29 1-5
21844}
21788 NOC - Network Operations Cente 16-20 10-15
6517 YIPESCOM - Yipes Communication 16-20 11
3356 LEVEL3 Level 3 Communications 10-15 1-5
32065 VORTECH-INC - Vortech Inc. 10-15 14
27595 ATRIVO-AS - Atrivo 10-15 1-5
4766 KIXS-AS-KR Korea Telecom 10-15 1-5
7132 SBIS-AS - SBC Internet Service 10-15 1-5
15535 VIRTUALXS-AS VirtualXS Interne 10-15 1-5
* We would gladly like to establish a trusted relationship with
these and any organizations to help them in the future.
* By previous requests here is an explanation of what "ASN" is, by Joe
St Sauver:
http://darkwing.uoregon.edu/~joe/one-pager-asn.pdf
The Trojan horses most used in botnets:
---------------------------------------
1. Korgobot.
2. SpyBot.
3. Optix Pro.
4. rBot.
5. Other SpyBot variants and strains (AgoBot, PhatBot, actual SDbots,
etc.).
This report is unchanged.
Credit for gathering the data and compiling the statistics should go to:
Prof. Randal Vaughn <Randy_Vaughn at baylor.edu>
--
Gadi Evron,
Information Security Manager, Project Tehila -
Israeli Government Internet Security.
Ministry of Finance, Israel.
gadi at tehila.gov.il
gadi at CERT.gov.il
Office: +972-2-5317890
Fax: +972-2-5317801
http://www.tehila.gov.il
The opinions, views, facts or anything else expressed in this email
message are not necessarily those of the Israeli Government.
More information about the NANOG
mailing list