[81937] in North American Network Operators' Group
drone armies C&C report - June/2005
daemon@ATHENA.MIT.EDU (Gadi Evron)
Mon Jul 4 07:19:08 2005
Date: Mon, 04 Jul 2005 14:17:09 +0300
From: Gadi Evron <gadi@tehila.gov.il>
To: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
Below is a periodic public report from the drone armies / botnets
research and mitigation mailing list.
For this report it should be noted that we base our analysis on the data
we have accumulated from various sources.
According to our incomplete analysis of information we have thus far, we
now publish our regular reports, with some additional statistics.
We changed our report this month to reflect past data, and try to
ascertain from our own experience response rates to botnet reports.
This month we would once again like to commend Staminus and Internap,
who continually surprise us with their immediate response to our
reports. The numbers speak for themselves.
A couple of other notable ISP's we rarely mention (because they were
never a problem) are AOL and Comcast. Comcast has been with us since the
start and has shown nothing but seriousness. AOL are continuously ahead
of the curve, which is something I personally am close to adoring.
The most impressive turn-about change in behavior though came from
ThePlanet, who investigate and eliminate any botnet C&C they encounter
in record time up to the point where they no longer appear in our
monthly reports - where they used to have a revered seat at the top.
The report summary includes a Percent Resolved Column in order to
recognize the mitigation efforts of the AS Responsible Parties. The
Opens Unresolved column represents the number of unique C&C which
reported as open to the survey's connection attempts and which have
neither been investigated nor cleared by the Responsible Party (to the
extent of our knowledge). The Mapping count may include multiple names
mapping to a single IP within an AS. We count each mapping count as a
unique C&C.
AS responsible Parties ranked by top Opens Unresolved
Responsible Party Mapping Opens Percent
Count Unresolved Resolved
SERVER4YOU - Server4You Inc. 49 37 24
UNITEDCOLO-AS Autonomous Syste 44 36 18
SAGONET-TPA - Sago Networks 80 32 60
MFNX MFN - Metromedia Fiber Ne 61 28 54
NOC - Network Operations Cente 39 27 31
AS13680 Hostway Corporation Ta 22 22 0
FDCSERVERS - FDCservers.net LL 42 19 55
NEBRIX-CA - Nebrix Communicati 33 16 52
ASN-NA-MSG-01 - Managed Soluti 31 14 55
LAMBDANET-AS European Backbone 15 14 7
INFOLINK-MIA-US - Infolink Inf 28 13 54
LYCOS-EUROPE Lycos Europe GmbH 17 13 24
Historical Report ranked by past suspect C&Cs mapping into the AS:
Responsible Party Mapping Opens Percent
Count Unresolved Resolved
SAGONET-TPA - Sago Networks 80 32 60
MFNX MFN - Metromedia Fiber Ne 61 28 54
STAMINUS-COMM - Staminus Commu 56 0 100
INTERNAP-BLOCK-4 - Internap Ne 54 0 100
INTERNAP-BLK - Internap Networ 52 0 100
SERVER4YOU - Server4You Inc. 49 37 24
UNITEDCOLO-AS Autonomous Syste 44 36 18
FDCSERVERS - FDCservers.net LL 42 19 55
NOC - Network Operations Cente 39 27 31
KIXS-AS-KR Korea Telecom 33 8 76
NEBRIX-CA - Nebrix Communicati 33 16 52
ASN-NA-MSG-01 - Managed Soluti 31 14 55
* We would gladly like to establish a trusted relationship with
these and any organizations to help them in the future.
* By previous requests here is an explanation of what "ASN" is, by Joe
St Sauver:
http://darkwing.uoregon.edu/~joe/one-pager-asn.pdf
The Trojan horses most used in botnets:
1. Korgobot.
2. SpyBot.
3. Optix Pro.
4. rBot.
5. Other SpyBot variants and strains (AgoBot, PhatBot, actual SDbots,
etc.).
This report is unchanged.
Credit for gathering the data and compiling the statistics from our
group efforts should go to the Statistics Project lead:
Prof. Randal Vaughn <Randy_Vaughn@baylor.edu>
--
Gadi Evron,
Israeli Government CERT Manager,
Tehila, Ministry of Finance.
gadi@CERT.gov.il
Office: +972-2-5317890
Fax: +972-2-5317801
The opinions, views, facts or anything else expressed in this email
message are not necessarily those of the Israeli Government.
