lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200612152218.kBFMI40S027225@mwpbu.baylor.edu>
Date: Fri, 15 Dec 2006 16:18:04 -0600
From: c2report@...tf.org
To: full-disclosure@...ts.grok.org.uk
Subject: Drone Armies C&C Report - 15 Dec 2006



This is a periodic public report from the ISOTF's affiliated group 'DA'
(Drone Armies (botnets) research and mitigation mailing list / TISF
DA) with the ISOTF affiliated ASreport project (TISF / RatOut).

For this report it should be noted that we base our analysis on the data
we have accumulated from various sources, which may be incomplete.

Any responsible party that wishes to receive reports of botnet command
and control servers on their network(s) regularly and directly, feel
free to contact us.

For purposes of this report we use the following terms
open	the host completed the TCP handshake
closed	No activity detected
reset	issued a RST

This month's survey is of 4898 unique, domains (or IPs) with
port suspect C&Cs. This list is extracted from the BBL which
has a historical base of 14350 reported C&Cs. Of the suspect C&Cs
surveyed, 575 reported as Open, 1588 reported as closed,
and 805 issued resets to the survey instrument. Of the C&Cs 
listed by domain name in the our C&C database, 5867 are mitigated.

Top 20 ASNes by Total suspect domains mapping to a host in the ASN.
These numbers are determined by counting the number of domains which
resolve to a host in the ASN.  We do not remove duplicates and some of
the ASNs reported have many domains mapping to a single IP.  Note the
Percent_resolved figure is calculated using only the Total and Open
counts and does not represent a mitigation effectiveness metric.
                                                                Percent_
ASN     Responsible Party                       Total   Open    Resolved
19318   NJIIX-AS-1 - NEW JERSEY INTERN            122     23     81
13301   UNITEDCOLO-AS Autonomous System of        116     37     68
30058   FDCSE FDCservers.net LLC                   48     13     73
23522   CIT-FOONET                                 48     19     60
16265   LEASEWEB AS                                43      7     84
 8560   SCHLUND-AS                                 42     32     24
 4766   KIXS-AS-KR                                 38      6     84
 9318   HANARO-AS                                  36     15     58
 7132   SBC Internet Services                      36      6     83
  174   Cogent Communications                      34     28     18
 4837   CHINA169-Backbone                          32      6     81
13213   UK2NET-AS UK-2 Ltd Autonomous Syste        31      5     84
33597   InfoRelay Online Systems, Inc.             31      0    100
14744   PNAP Internap Network Services             30      0    100
15083   IIS-129 Infolink Information Servic        28      1     96
25761   STAMIN-2 Staminus Communications           26     11     58
 3561   Savvis                                     25      1     96
10913   PNAP Internap Network Services             25      0    100
24611   AS24611 Datacenter Luxembourg S.A.         24      0    100
 4314   IIS-64 I-55 INTERNET SERVICES              24      2     92

Top 20 ASNes by number of active suspect C&Cs.  These counts are
determined by the number of suspect domains or IPs located within
the ASN completed a connection request.
                                                                Percent_
ASN     Responsible Party                       Total   Open    Resolved
13301   UNITEDCOLO-AS Autonomous System of        116     37     68
 8560   SCHLUND-AS                                 42     32     24
  174   Cogent Communications                      34     28     18
19318   NJIIX-AS-1 - NEW JERSEY INTERN            122     23     81
23522   CIT-FOONET                                 48     19     60
 9318   HANARO-AS                                  36     15     58
30058   FDCSE FDCservers.net LLC                   48     13     73
25761   STAMIN-2 Staminus Communications           26     11     58
 3786   ERX-DACOMNET                               18      8     56
29737   WideOpenWest LLC                           11      8     27
 1781   KAIST-DAEJEON-AS-KR Korea Advanced         11      8     27
18942   WEBHO-3 WebHostPlus Inc                    11      7     36
16265   LEASEWEB AS                                43      7     84
 6939   HURRICANE - Hurricane Electric             11      6     45
 4766   KIXS-AS-KR                                 38      6     84
 4837   CHINA169-Backbone                          32      6     81
 7132   SBC Internet Services                      36      6     83
12322   PROXAD AS for Proxad ISP                    8      5     38
19444   CHARTER COMMUNICATIONS                      6      5     17
29686   PROBENETWORKS-AS Probe Networks             5      5      0

A version of this report with addition rankings can be found
via the isotf.org home page. 


Randal Vaughn                             Gadi  Evron
Professor                                 ge at linuxbox.org
Baylor University
Waco, TX
(254) 710 4756
randy_vaughn at baylor.edu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ