drone armies C&C report - April/2005

• Previous message (by thread): WiFi Hot Spot Billing Software
• Next message (by thread): Two questions [controlling broadcast storms & netflow software]; seeking offlist responses
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Below is a periodic public report from the drone armies / botnets
research and mitigation mailing list.
For this report it should be noted that we base our analysis on the data
we have accumulated from various sources.

According to our incomplete analysis of information we have thus far, we
now publish our regular two reports.

We have updated our algorithms and combined our main reports into one table.

This survey reflects an overall change in Responsible Party rankings.
We have established trusted relationships with Atrivo and The Planet.
In the case of The Planet these relationships have helped to achieve a
significant reduction in C&Cs with only 1 C&C reporting as active in The
Planet's space for this survey. Atrivo also responds to reported C&Cs.
PNAP and KrCert made an incredible progress. Sagonet has also requested
C&C information but is ranked in the top 4 Responsible parties for this
survey.


The ISP's that are most often plagued with botnet C&C's (command &
control) are, by the order listed:
----------------------------------

ASN             Responsible Party               Unique
open-unresolved
{10913,         INTERNAP (Block4,2BLK,BLK)      60-79              1-5
12179
13790,
19024,
14744}
21840           SAGONET-TPA - Sago Networks     40-59              10-15
25761           STAMINUS-COMM - Staminus Commu  40-59              20-29
{13884,         THEPLANET-AS - THE PLANET       20-29              1-5

21844}
21788           NOC - Network Operations Cente  16-20              10-15
6517            YIPESCOM - Yipes Communication  16-20              11
3356            LEVEL3 Level 3 Communications   10-15              1-5
32065           VORTECH-INC - Vortech Inc.      10-15              14
27595           ATRIVO-AS - Atrivo              10-15              1-5
4766            KIXS-AS-KR Korea Telecom        10-15              1-5
7132            SBIS-AS - SBC Internet Service  10-15              1-5
15535           VIRTUALXS-AS VirtualXS Interne  10-15              1-5

* We would gladly like to establish a trusted relationship with
   these and any organizations to help them in the future.

* By previous requests here is an explanation of what "ASN" is, by Joe
   St Sauver:
   http://darkwing.uoregon.edu/~joe/one-pager-asn.pdf


The Trojan horses most used in botnets:
---------------------------------------

1. Korgobot.
2. SpyBot.
3. Optix Pro.
4. rBot.
5. Other SpyBot variants and strains (AgoBot, PhatBot, actual SDbots,
    etc.).

This report is unchanged.


Credit for gathering the data and compiling the statistics should go to:
Prof. Randal Vaughn <Randy_Vaughn at baylor.edu>

-- 
Gadi Evron,
Information Security Manager, Project Tehila -
Israeli Government Internet Security.
Ministry of Finance, Israel.

gadi at tehila.gov.il
gadi at CERT.gov.il
Office: +972-2-5317890
Fax: +972-2-5317801
http://www.tehila.gov.il

The opinions, views, facts or anything else expressed in this email
message are not necessarily those of the Israeli Government.

• Previous message (by thread): WiFi Hot Spot Billing Software
• Next message (by thread): Two questions [controlling broadcast storms & netflow software]; seeking offlist responses
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]