drone armies C&C report - July/2005

• Previous message: Martin Schulze: "[SECURITY] [DSA 761-2] New heartbeat packages fix insecure temporary files"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 15 Aug 2005 15:22:53 +0300
To: bugtraq@securityfocus.com

Below is a periodic public report from the drone armies / botnets
research and mitigation mailing list.
For this report it should be noted that we base our analysis on the data
we have accumulated from various sources.

According to our incomplete analysis of information we have thus far, we
now publish our regular reports, with some additional information.

As of this month, any responsible party that wishes to receive
information about botnet C&C's in their net space can contact us and be
added to our notification list.

This month's survey is of 3629 unique domain with port or IP with port
suspect C&Cs. This list is extracted from the BBL which currently has
a historical base of 4464 reported C&Cs. Of the suspect C&Cs surveyed,
920 reported as Open, 3115 reported as closed and 393 issued resets to
the survey instrument. Of the C&Cs listed by domain name, 2080 are
mitigated via remapping. 276 ASNs report one or more open C&Cs.

ASNs with 10 or more unresolved and open suspect C&Cs:
ASNumber Responsible Party Count Open/Unresolved
21840 SAGONET-TPA - Sago Networks 53 34
30058 FDCSERVERS - FDCservers.net LL 65 32
30083 SERVER4YOU - Server4You Inc. 41 28
12832 LYCOS-EUROPE Lycos Europe GmbH 31 27
23522 CIT-FOONET - CREATIVE INTERNET 25 23
174 COGENT Cogent/PSI 45 23
13680 AS13680 Hostway Corporation Ta 22 22
6461 MFNX MFN - Metromedia Fiber Ne 23 18
27595 ATRIVO-AS - Atrivo 27 16
15083 INFOLINK-MIA-US - Infolink Inf 19 15
4766 KIXS-AS-KR Korea Telecom 41 15
8560 SCHLUND-AS Schlund + Partner A 28 14
27645 ASN-NA-MSG-01 - Managed Soluti 19 12
13237 LAMBDANET-AS European Backbone 15 12
1113 TUGNET Technische Universitaet 12 11
13301 UNITEDCOLO-AS Autonomous Syste 16 11
6939 HURRICANE - Hurricane Electric 12 10
16265 LEASEWEB LEASEWEB AS 13 10
21698 NEBRIX-CA - Nebrix Communicati 25 10

Top 10 ASNs by total count:
ASNumber Responsible Party Count Open/Unresolved
14742 INTERNAP-BLOCK-4 - Internap Ne 118 1
14744 INTERNAP-BLOCK-4 - Internap Ne 118 1
25761 STAMINUS-COMM - Staminus Commu 69 25
10913 INTERNAP-BLK - Internap Networ 67 1
30058 FDCSERVERS - FDCservers.net LL 65 32
21840 SAGONET-TPA - Sago Networks 53 34
174 COGENT Cogent/PSI 45 23
4766 KIXS-AS-KR Korea Telecom 41 15
30083 SERVER4YOU - Server4You Inc. 41 28
3356 LEVEL3 Level 3 Communications 37 2

ASNs with 0ne or more open C&Cs:
ASNumber Responsible Party
81 CONCERT - MCNC Center of Commu
174 COGENT Cogent/PSI
237 MERIT-AS-14 - Merit Network In
701 ALTERNET-AS - UUNET Technologi
790 EUNETFI EUnet Finland
813 UUNET-AS1 - UUNET Technologies
1113 TUGNET Technische Universitaet
1221 ASN-TELSTRA Telstra Pty Ltd
1239 SPRINTLINK - Sprint
1267 ASN-INFOSTRADA Infostrada S.p.
1659 ERX-TANET-ASN1 Tiawan Academic
1668 AOL-ATDN - AOL Transit Data Ne
1784 GNAPS - Global NAPs Networks
1785 USLEC-ASN-1785 - USLEC Corp.
1955 HBONE-AS HUNGARNET
2042 ERX-JARING Malaysian institute
2108 CARNET-AS Croatian Academic an
2119 TELENOR-NEXTEL Telenor Interne
2501 JPNIC-ASBLOCK-AP JPNIC
2514 JPNIC-ASBLOCK-AP JPNIC
2527 JPNIC-ASBLOCK-AP JPNIC
2828 XO-AS15 - XO Communications
2856 BT-UK-AS BTnet UK Regional net
2907 ERX-SINET-AS National Center f
2914 VERIO - Verio Inc.
3064 AFFINITY-FTL - Affinity Intern
3215 AS3215 France Telecom Transpac
3246 TDCSONG TDC Song
3248 SIL-AT SILVER:SERVER GmbH
3265 XS4ALL-NL XS4ALL
3292 TDC TDC Data Networks
3301 TELIANET-SWEDEN TeliaNet Swede
3307 BANETELE-NORWAY BaneTele AS (f
3313 INET-AS I.NET S.p.A.
3344 KEWLIO-DOT-NET Kewlio.net Limi
3352 TELEFONICA-DATA-ESPANA Interne
3356 LEVEL3 Level 3 Communications
3462 HINET Data Communication Busin
3491 BTN-ASN - Beyond The Network A
3561 SAVVIS - Savvis
3701 NERONET - Oregon Joint Graduat
3758 ERX-SINGNET SingNet
3786 ERX-DACOMNET DACOM Corporation
3801 MISNET - Mikrotec Internet Ser
4134 CHINANET-BACKBONE No.31 Jin-ro
4230 Embratel
4436 AS-NLAYER - nLayer Communicati
4589 EASYNET Easynet Group Plc
4618 INET-TH-AS Internet Thailand C
4628 ASN-PACIFIC-INTERNET-IX Pacifi
4637 REACH Reach Network Border AS
4645 ASN-HKNET-AP HKNet Co. Ltd
4670 HYUNDAI-KR Shinbiro
4713 OCN NTT Communications Corpora
4732 DION KDDI CORPORATION
4766 KIXS-AS-KR Korea Telecom
4780 SEEDNET Digital United Inc.
4812 CHINANET-SH-AP China Telecom (
4837 CHINA169-BACKBONE CNCGROUP Chi
5089 NTL NTL Group Limited
5381 POWTECH-AS PowerTech Informati
5390 EURONET Wanadoo Nederland BV G
5417 DEMON-NL Demon Netherlands Th
5462 CABLEINET Telewest Broadband
5486 Euronet Digital Communications
5522 OMNITEL PLC OMNITEL
5617 TPNET Polish Telecom's commerc
5783 KCSOS-NET - Kern County Superi
6058 NWT-AS - Internet North
6079 RCN-AS - RCN Corporation
6128 CABLE-NET-1 - Cablevision Syst
6197 BATI-ATL - BellSouth Network S
6295 WHIDBEY1 - Whidbey Internet Se
6327 SHAW - Shaw Communications Inc
6380 BELLSOUTH-NET-BLK - BellSouth.
6383 BELLSOUTH-NET-BLK - BellSouth.
6385 BELLSOUTH-NET-BLK - BellSouth.
6388 BELLSOUTH-NET-BLK - BellSouth.
6412 KW Gulfnet International
6453 GLOBEINTERNET Teleglobe Americ
6461 MFNX MFN - Metromedia Fiber Ne
6467 ESPIRECOMM - e.spire Communica
6711 HUNGARNET-SZEGED Szeged Univer
6805 TDDE-ASN1 Telefonica Deutschla
6939 HURRICANE - Hurricane Electric
7011 FRONTIER-AND-CITIZENS - Electr
7015 CCCH-AS2 - Comcast Cable Commu
7018 ATT-INTERNET4 - AT&T WorldNet
7132 SBIS-AS - SBC Internet Service
7303 Telecom Argentina S.A.
7701 CAIRNSNET-AS-AP CairnsNet Pty
7893 BELLSOUTH-NET-BLK2 - Bellsouth
8001 NET-ACCESS-CORP - Net Access C
8047 GCI - GCI Communications Inc.
8120 BESTWEB - BestWeb Corporation
8151 Uninet S.A. de C.V.
8176 NETSCAPE-ASN - Netscape
8220 COLT COLT Telecommunications
8326 PL-BYDMAN-EDU Educational User
8342 RTCOMM-AS RTComm.RU Autonomous
8362 NordNet Autonomous System
8434 TELENOR-SE Telenor AB
8551 BEZEQ-INTERNATIONAL-AS Bezeqin
8560 SCHLUND-AS Schlund + Partner A
8642 B2 B2 Bredband AB (publ)
8732 COMCOR-AS AS for Moscow Teleco
8736 GNS Grapes Network Services
8752 ASVT-NETWORK RusSDO Autonomous
8943 JUMP Jump Networks Ltd.
8968 Albacom Autonomous System
8972 INTERGENIA-ASN intergenia auto
8992 TELERING-AT tele.ring Telekom
9044 SOLNET SolNet Internet Solutio
9105 TISCALI-UK Tiscali UK
9116 Goldenlines main autonomous sy
9121 TTNET TTnet Autonomous System
9277 THRUNET-AS-KR THRUNET
9317 ITISNET-AS Inha University
9318 HANARO-AS HANARO Telecom
9768 PUBNET1-AS KT
9800 UNICOM CHINA UNICOM
9803 JINGXUN Beijing Jingxun Public
9806 BJENET Beijing Educational Inf
9811 BJGY srit corp. beijing.
9848 GNGAS GNG Networks
9919 NCIC-TW New Century InfoComm T
9924 TFN-TW Taiwan Fixed Network T
10212 GUANGTONGNET-AP China Guangzho
10481 Prima S.A.
10602 TDL - THE DIAMOND LANE
10913 INTERNAP-BLK - Internap Networ
11191 ELITE-NET - Elite.Net
11290 RAPIDUS - COGECO Cable Canada
11305 INTERLAND-NET1 - Interland Inc
11351 RR-NYSREGION-ASN-01 - Road Run
11388 MAXIM - Interland
11426 SCRR-11426 - Road Runner
11814 IGS-GTA - Information Gateway
12322 PROXAD AS for Proxad ISP
12352 WINEASY WinEasy Autonomous Sys
12363 DADA S.p.a.
12578 APOLLO-AS LATTELEKOM-APOLLO
12634 SCARLET Autonomous System for
12695 DINET-AS Digital Network JSC
12832 LYCOS-EUROPE Lycos Europe GmbH
12843 TELEMAXX TelemaxX Telekommunik
12859 NL-BIT BIT BV
12867 ONLINE-BG BULGARIA ONLINE
12874 FASTWEB Fastweb Autonomous Sys
12880 DCI-AS DCI Autonomous System
13213 UK2NET-AS UK-2 Ltd Autonomous
13237 LAMBDANET-AS European Backbone
13272 STARMAN Starman Internet AS
13301 UNITEDCOLO-AS Autonomous Syste
13571 VIDEOTRON-LTEE - Videotron lte
13609 CHOICEONECOM - Choice One Comm
13680 AS13680 Hostway Corporation Ta
13726 VISION-I-SYSTEMS-ASN - Vision
13749 EVERYONES-INTERNET - Everyones
13768 PEER1 - Peer 1 Network Inc.
14501 CIHOST - C I Host
14562 SHAW-COMMUNICATIONS - Shaw Com
14742 INTERNAP-BLOCK-4 - Internap Ne
14744 INTERNAP-BLOCK-4 - Internap Ne
15083 INFOLINK-MIA-US - Infolink Inf
15149 EZZI-101-BGP - EZZI.net
15440 AS15440 MicroLink Lietuva Auto
15542 ZEELANDNET ZeelandNet BV
15589 AS15589 Eutelia S.p.A. Backbon
15694 ATMAN ATMAN Autonomous System
15703 TRUESERVER-AS TrueServer BV AS
15857 DIALOG-AS DIALOG-NET Autonomuo
16150 PORT80 Port80 AB Sweden
16265 LEASEWEB LEASEWEB AS
16276 OVH OVH
16526 BIRCH-TELECOM - Birch Telecom
16557 RE-STAFFORD - R. E. Stafford I
16629 Compania de Telecomunicaciones
17054 SLC-EXPEDIENT - e-xpedient
17184 ATL-CBEYOND - CBEYOND COMMUNIC
17444 NWT-AS-AP AS number for New Wo
17506 JPNIC-JP-ASN-BLOCK Japan Netwo
17557 PKTELECOM-AS-AP Pakistan Telec
17676 JPNIC-JP-ASN-BLOCK Japan Netwo
17964 DXTNET Beijing Dian-Xin-Tong N
17974 TELKOMNET-AS2-AP PT TELEKOMUNI
18474 AENEAS-CWUS - Aeneas Internet
18847 NETFIRE - NetFire.com
19262 VZGNI-TRANSIT - Verizon Intern
19444 CHARTER-STL - CHARTER COMMUNIC
19864 O1COMM - O1 COMMUNICATIONS
20001 ROADRUNNER-WEST - Road Runner
20013 CYRUSONE - CYRUS ONE
20115 CHARTER-NET-HKY-NC - Charter C
20141 EDELTACOM-SUW-300 - e^deltacom
20183 VERICENTER - VeriCenter Inc.
20473 NETTRANS - NetTransactions LL
20495 WEDARE We Dare BV Autonomous S
20580 Telecom Italia Network
20804 ASN-TELENERGO EXATEL S.A. Auto
20932 SIG SIG - IP-MAN.NET
21195 DGCSYSTEMS DGC Systems AB Auto
21285 DKOM Telekom Austria Applicati
21502 ASN-NUMERICABLE NUMERICABLE is
21698 NEBRIX-CA - Nebrix Communicati
21788 NOC - Network Operations Cente
21840 SAGONET-TPA - Sago Networks
21844 THEPLANET-AS - THE PLANET
21889 RAPIDSYSTEMS - Rapid Systems C
22659 LIQUIDIX - LIQUID COMMUNICATIO
22685 QUICKPACKET - Plusweb Communic
22773 CCINET-2 - Cox Communications
22822 LLNW - Limelight Networks LLC
22909 DNEO-OSP1 - Comcast Cable Comm
22927 Telefonica de Argentina
22935 WAYNE-BOCES - Wayne Finger-Lak
23183 SWIFTSYSTEMS - SWIFT SYSTEMS
23201 Telecel S.A.
23352 SERVER-CENTRAL-CHI - Server Ce
23393 ISPRIME - ISPrime Inc.
23522 CIT-FOONET - CREATIVE INTERNET
23670 SECURE-AS Oz Servers Data Cen
23980 YOUNGNAM-UNIV-AS-AP YOUNGNAM U
24607 LENET "Lietuvos energija" JSC
24730 ASN-NETHOLDING Autonomous Syst
24953 ASN-CARRIER66 carrier66.net Ne
25504 CRONON-AS Cronon AG
25525 REASONNET-AS Reasonnet LTD
25653 PEGASUS - Pegasus Web Technolo
25700 SWIFTDESK - SWIFTDESK VENTURE
25761 STAMINUS-COMM - Staminus Commu
25973 MZIMA - Mzima Networks Inc.
26053 DREAMNET-C-S-I - DreamNet Comm
26496 PAH-INC - Go Daddy Software I
27524 NETSENTRY - Net Sentry Corp
27595 ATRIVO-AS - Atrivo
27645 ASN-NA-MSG-01 - Managed Soluti
28677 AMEN AMEN Network
28716 EPLANET-AS ePLANET SPA
28753 NETDIRECT AS NETDIRECT Frankfu
29055 PRODIGY-AS Prodigy ASN
29131 RAPIDSWITCH-AS RapidSwitch Ltd
29415 EUROWAN-ASN OVANET - EuroWan d
29550 EUROCONNEX-AS Euroconnex Netwo
29737 WOW-INTERNET - WideOpenWest LL
29748 CARPATHIA-HOSTING - Carpathia
29759 OXFORD-INDUSTRIES - Oxford Ind
30058 FDCSERVERS - FDCservers.net LL
30083 SERVER4YOU - Server4You Inc.
30099 SB-2 - ServerBeach
30315 EVERYONES-INTERNET2 - Everyone
30407 VELCOM - Rcp.net
30736 EASYSPEEDY-NETWORK Easyspeedy
30943 UTRANSIT-AS Utransit Internati
31034 ARUBA-ASN Aruba.it Network
31042 SERBIA-BROADBAND-AS Serbia Bro
31159 NETCATHOST-AS NetcatHosting
31216 BSOCOM BSO Communication Netwo
31400 AS31400 AS31400.NET BACKBONE
31669 ITSS-AS IT - SOLID SOLUTIONS
31800 DALNET - DALnet
31898 NAMEI - Name Intelligence Inc
31932 AFS-KC - American Fiber System
32097 WII-KC - WholeSale Internet
32666 CWRU-AS-1 - Case Western Reser
32748 STEADFAST - NoZone Inc.
32751 NUCLEARFALLOUT-SEA - Nuclearfa
32788 XILOGIX-ASN - Xilogix LLC
33438 EASYNEWS - Easynews Inc.
33569 ALLHOSTSHOP - ALLHOSTSHOP.COM
33657 DNEO-OSP7 - Comcast Cable Comm
34021 MULTI-VISP Multi-vISP Network
34465 BENESOL-AS Belgian Network Sol
34549 LAXIN-AS Laxin IT-Services Gmb
35921 IFCI-US - InternetFCI LLC

* We would gladly like to establish a trusted relationship with
   these and any organizations to help them in the future.

* By previous requests here is an explanation of what "ASN" is, by Joe
   St Sauver:
   http://darkwing.uoregon.edu/~joe/one-pager-asn.pdf

The Trojan horses most used in botnets:

1. Korgobot.
2. SpyBot.
3. Optix Pro.
4. rBot.
5. Other SpyBot variants and strains (AgoBot, PhatBot, actual SDbots,
    etc.).

This report is unchanged.

Credit for gathering the data and compiling the statistics from our
group efforts should go to the Statistics Project lead:
Prof. Randal Vaughn <Randy_Vaughn@baylor.edu>

-- 
Gadi Evron,
Israeli Government CERT Manager,
Tehila, Ministry of Finance.
gadi@CERT.gov.il
Office: +972-2-5317890
Fax: +972-2-5317801
The opinions, views, facts or anything else expressed in this email
message are not necessarily those of the Israeli Government.

• Previous message: Martin Schulze: "[SECURITY] [DSA 761-2] New heartbeat packages fix insecure temporary files"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]