« December 2011 · June 2012 · April 2018 »

February 2012
March 2012
April 2012


  • 16.04.2012: Beware of what you download. Recent purported CEIEC document dump booby-trapped.
  • 15.04.2012:
  • 17.03.2012: Over the weekend we will be dropping 700+ old botnet tickets as the continuation of ticketing system clean up.
  • 09.03.2012: Continuation of Ticket House Cleaning: Over the next couple of days you will see a drop in the total monitored botnet count as we will be closing out 800 old tickets.
  • 07.03.2012: See below.
  • 28.02.2012: As we continue to clean up our botnet tickets, you will see an additional 500+ drop in the monitored botnet count over the next day or so. Thanks for your cooperation.
  • 25.02.2012: Shadowserver will be dropping another 900+ old Public Server monitored botnets over the next couple of days. This drop is being done in the same fashion as Shadowserver did on February 22nd. Please feel free to contact us with any questions or comments about the dropping of these monitored botnets.
  • 22.02.2012: Over the next couple of days you will notice a 700+ drop in total active botnets that we are currently reporting on. This drop will occur due to the dropping of old Public Server tickets we have been reporting on. The Public Server tickets we that we will be dropping are from Public Servers that do a great job of shutting down these botnet channels on their servers as soon as they are discovered by the server OPs as well as from reports that Shadowserver generates daily.
Newest first Oldest first

Wednesday, 7 March 2012

As part of our Botnet Monitoring Ticket cleanup process, we will be dropping an additional 700 botnet tickets over the next couple of days. Feel free to contact me directly with any questions or comments.


R3m0t3_f1x Botnet Operations Shadowserver Foundation

Of House Cleaning and Botnet C&C's


In the last couple of weeks we have dropped almost 2500 C&C's from our tracking system. This may seem extreme but is was something of a necessity. It should also bring up the question of validity of the rest of our C&C counts that you see.

We have several reason to do this cleaning and it is important for everyone to understand why this is occurring, and why it will occur in the future. About 98% of the C&C's we have come from the analysis of malware. When we analyze malware and it has network traffic to an IRC server we record that in our tracking system to be followed up on at a future time.

Our tracking system does several automated checks and keeps the state of the ticket up or down depending on the accessibility of the server. This has several issues.

The first is public servers. Most of the public servers work very hard to identify botnet channels and get them shutdown. So if a piece of malware attempted to access a channel on a public server, most will be gone and inaccessible within a week or less. Our tracking system will however still see the server as up and keep the ticket open.

Our solution up to now has been for our diligent engineers to take each ticket and investigate if there really is a botnet there or not and what action should be taken. Being an all volunteer organization means that everyone has day jobs and the amount that we can test on a daily basis is not a very high number. We can only monitor about 500-600 C&C's on a daily basis using this method.

While not very efficient, it does insure a high accuracy. Pick one or the other but never both.

So as time progressed we started stacking up C&C's on public servers. Some began having ages of more than a year. In spot checks we could see many of these were actually gone and killed by the opers of the public servers.

So on to the house cleaning. We know we will not get to a lot of these in any short timeframe for validation, so we closed all of those tickets so that the system would no longer check those C&C's. There is a concern in doing this that we might be closing our view into actual live C&C's. This is always a possibility, but if another piece of malware comes to us attempting access to that C&C, the ticket will get re-opened automatically. And starting the process all over again.

So if you look at our charts you can see the large decreases, but also see the numbers slowly start creeping up after each mass closure. These are some of those tickets being re-opened or new C&C's being added to the system all from new malware collected.

We want everyone to understand our actions and why we do certain things. Especially when it concerns any of our public charts. We much prefer as much transparency as possible as to decrease any confusion or speculation on why are charts suddenly take a plunge.

As always we appreciate any comments, concerns, and criticisms on our actions and activity.


=>Posted March 07, 2012, at 03:22 PM by freed0