lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <200701191927.l0JJRmCV016508@mwpbu.baylor.edu>
Date: Fri, 19 Jan 2007 13:27:48 -0600
From: randy_vaughn@...lor.edu
To: full-disclosure@...ts.grok.org.uk
Subject: Drone Armies C&C Report - 19 Jan 2007



This is a periodic public report from the ISOTF's affiliated group 'DA'
(Drone Armies (botnets) research and mitigation mailing list / TISF
DA) with the ISOTF affiliated ASreport project (TISF / RatOut).

For this report it should be noted that we base our analysis on the data
we have accumulated from various sources, which may be incomplete.

Any responsible party that wishes to receive reports of botnet command
and control servers on their network(s) regularly and directly, feel
free to contact us.

For purposes of this report we use the following terms
open	the host completed the TCP handshake
closed	No activity detected
reset	issued a RST

This month's survey is of 5187 unique, domains (or IPs) with
port suspect C&Cs. This list is extracted from the BBL which
has a historical base of 14723 reported C&Cs. Of the suspect C&Cs
surveyed, 678 reported as Open, 1769 reported as closed,
and 812 issued resets to the survey instrument. Of the C&Cs 
listed by domain name in the our C&C database, 5845 are mitigated.

Top 20 ASNes by Total suspect domains mapping to a host in the ASN.
These numbers are determined by counting the number of domains which
resolve to a host in the ASN.  We do not remove duplicates and some of
the ASNs reported have many domains mapping to a single IP.  Note the
Percent_resolved figure is calculated using only the Total and Open
counts and does not represent a mitigation effectiveness metric.
                                                                Percent_
ASN     Responsible Party                       Total   Open    Resolved
19318   NJIIX-AS-1 - NEW JERSEY INTERN            124     24     81
13301   UNITEDCOLO-AS Autonomous System of         99     29     71
 4766   KIXS-AS-KR                                 61     21     66
14779   INKT Inktomi Corporation                   58      0    100
30058   FDCSE FDCservers.net LLC                   58     14     76
16265   LEASEWEB AS                                43     26     40
23522   CIT-FOONET                                 42     24     43
 9318   HANARO-AS                                  38     10     74
 7132   SBC Internet Services                      36      5     86
25761   STAMIN-2 Staminus Communications           35     20     43
13213   UK2NET-AS UK-2 Ltd Autonomous Syste        33      6     82
  174   Cogent Communications                      31     27     13
33597   InfoRelay Online Systems, Inc.             31      0    100
 4837   CHINA169-Backbone                          31      7     77
 8560   SCHLUND-AS                                 29     14     52
15083   IIS-129 Infolink Information Servic        28      1     96
 3786   ERX-DACOMNET                               26     12     54
12832   Lycos Europe                               24      0    100
28753   NETDIRECT AS NETDIRECT Frankfurt           23      8     65
 4134   CHINANET-BACKBONE                          22      7     68

Top 20 ASNes by number of active suspect C&Cs.  These counts are
determined by the number of suspect domains or IPs located within
the ASN completed a connection request.
                                                                Percent_
ASN     Responsible Party                       Total   Open    Resolved
13301   UNITEDCOLO-AS Autonomous System of         99     29     71
  174   Cogent Communications                      31     27     13
16265   LEASEWEB AS                                43     26     40
23522   CIT-FOONET                                 42     24     43
19318   NJIIX-AS-1 - NEW JERSEY INTERN            124     24     81
 4766   KIXS-AS-KR                                 61     21     66
25761   STAMIN-2 Staminus Communications           35     20     43
 8560   SCHLUND-AS                                 29     14     52
30058   FDCSE FDCservers.net LLC                   58     14     76
 3786   ERX-DACOMNET                               26     12     54
 9318   HANARO-AS                                  38     10     74
31103   KEYWEB-AS Keyweb AG                        10      8     20
28753   NETDIRECT AS NETDIRECT Frankfurt           23      8     65
 4837   CHINA169-Backbone                          31      7     77
 9930   TTNET-MY                                    8      7     13
 4134   CHINANET-BACKBONE                          22      7     68
18942   WEBHO-3 WebHostPlus Inc                    11      7     36
 6140   ImpSat                                      8      7     13
 1781   KAIST-DAEJEON-AS-KR Korea Advanced          8      7     13
12322   PROXAD AS for Proxad ISP                    8      7     13

A version of this report with addition rankings can be found
via the isotf.org home page. 


Randal Vaughn                             Gadi  Evron
Professor                                 ge at linuxbox.org
Baylor University
Waco, TX
(254) 710 4756
randy_vaughn at baylor.edu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ