North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

June 2007 DA Botnet Command and Control

  • From: c2report
  • Date: Mon Jun 25 20:56:42 2007

The drone army (DA) research group surveys, conducted during random time
intervals over the past 6 months, associated 3724 unique, apparently active
hosts, which were, in some manner, associated with a suspect C&C domain.
Naturally, any such association contains peculiarities of measurement such as
false positives and attempted "Joe-Jobs" against legitimate hosts.
None-the-less, the association is of some interest (probably only to crusty
academics) in that unique IP counts combined with DA's monthly rankings reveal a
more precise, and likely truer, picture of C&C network demographics.  The DA
monthly rankings, located on <http://isotf.org/ccreport.html> includes duplicate
host reports resulting from multiple domains and ports mapping to a single host.
 This host duplication tends to inflate estimated host counts within a network.
 Comparing the "Open" count for a network contained in DA report "Top 20 ASNes
by Total suspect domains" with the Uniq IP count contained in the included "Top
Forty Unique IP" list should give a better indication of the overall
effectiveness of the success of the network's C&C removal efforts.

Top forty Unique IP counts within Autonomous System:
ASN    Uniq IPs  Responsible Party
30058   113     FDCSERVERS - FDC Servers.net
25761   86      STAMINUS-COMM - Staminus Communications
23522   85      IPNAP-ES - Ecomdevel  (CIT-FOONET)
19318   78      NJIIX-AS-1 - NEW JERSEY INTERN
4837    72      CHINA169-Backbone
4766    69      KIXS-AS-KR Korea Telecom
4134    66      CHINANET-BACKBONE No.31
13301   63      UNITEDCOLO-AS Autonomous System of unitedcolo.de
7132    59      SBC Internet Services
24989   47      IXEUROPE-DE-FRANKFURT-ASN IX Europe Germany AS
NA**    43      (No applicable network - Mitigation Address space)
3462    39      HINET Data Communication Business Group
12832   39      LYCOS-EUROPE Lycos Europe GmbH
9318    36      HANARO-AS Hanaro Telecom Inc.
3320    33      DTAG Deutsche Telekom AG
14779   33      INKTOMI-LAWSON - Inktomi Corporation
28753   32      NETDIRECT AS NETDIRECT Frankfurt
8560    31      ONEANDONE-AS 1&1 Internet AG
9121    31      TTNET TTnet Autonomous System
35916   27      Multa
577     26      BACOM - Bell Canada
16265   26      OCOM OCOM AS
3786    25      LGDACOM LG DACOM Corporation
8972    23      INTERGENIA-ASN intergenia autonomous system
14780   21      INKTOMI-LAWSON - Inktomi Corporation
20115   21      CHARTER-NET-HKY-NC - Charter Communications
8376    20      GO-JOR Autonomous System
36420   20      ev1.net
174     19      COGENT Cogent/PSI
3269    19      ASN-IBSNAZ TELECOM ITALIA
10316   19      ABACUS-NET-AS - Abacus America Inc.
22927   19      Telefonica de Argentina
31103   19      KEYWEB-AS Keyweb AG
1668    18      AOL-ATDN - AOL Transit Data Network
2119    18      TELENOR-NEXTEL T.net
3561    18      SAVVIS - Savvis
9155    18      QualityNet AS number
9800    18      UNICOM CHINA UNICOM
19262   18      Verizon Internet Services
1659    17      ERX-TANET-ASN1 Tiawan Academic Network (TANet)

Best regards

Randy Vaughn                                         gadi evron
Randy_Vaughn (at) baylor.edu                         ge (at) linuxbox.org