Drone/Botnet-Drone Report

This report is a list of all the infected machines, drones, and zombies that we were able to capture through various techniques, including sinkholes operated with partners, darknets, honeypots, ips from Spam relays and other partner sources.

Some of the IPs will have an infection type. As we’ve grown in size, so have our data sets, requiring us to change our storage technology and methodology. We had to make certain changes to the data sets and have required certain output changes, as well.

What does the C&C really mean?

The IP for the C&C could be a real command and control system that we are (or a partner is) monitoring either directly or passively. It could also be one of the many sinkhole servers that we and our partners operate. If it is a sinkhole server, this means that your IP address reached out and communicated somehow with our server. We cannot issue commands, nor can we control your system from our sinkhole server, since it is a mostly passive capture device. We only harvest the connection information and report it back out.

Why is the C&C set to “0.0.0.0” or blank?

This can occur for several different reasons.

  1. We may not have the C&C IP address, depending on the source of the data and the method of tracking. For example, you could have a drone IP labeled as Spam. Since we extracted the last hop from a Spam message, we do not know the controlling source and cannot report it out.
  2. In the instances where the capture point was our Sinkhole server, we are the C&C in this instance and there is no reason to include our IPs.

If we have the data, we will always include it in the reports. We filter nothing from the data we send out, except to ensure that you receive the data for your responsible area.

What does it really mean when something was tagged as “spam” for a drone?

When we collect Spam messages, the message headers can be almost completely falsified, except the last hop connection before it hits a Spam trap. These are those IPs we are reporting: the ones that somehow relayed or originated the message to the traps.

I found the IP you listed, but my logs show a few hours off. Is your time correct?

All of our logs are in UTC, but we only send out the first event for each IP. There could be dozens or hundreds in a day. Because of the quantity of events on a daily basis, it is not efficient to send out each and every event seen on an IP.

What types of tags are there for drones?

As of January 13th 2021, we have the following tags:

android_spams
android.bakdoor.prizmes
android.bankbot
android.banker.anubis
android.bankspy
android.cliaid
android.darksilent
android.fakeav
android.fakebank
android.fakedoc
android.fakeinst
android.fakemart
android.faketoken
android.fobus
android.fungram
android.geost
android.gopl
android.hiddad
android.hqwar
android.hummer
android.infosteal
android.iop
android.lockdroid
android.milipnot
android.nitmo
android.opfake
android.premiumtext
android.provar
android.pwstealer
android.rootnik
android.skyfin
android.smsbot
android.smssilence
android.smsspy
android.smsspy.be24
android.sssaaa
android.teleplus
android.uupay
android.voxv
avalanche-andromeda
banatrix
bankpatch
bebloh
bedep
betabot
bitcoinminer
blackbeard
blakamba
boinberg
buhtrap
caphaw
carberp
chafer
changeup
chinad
citadel
cobint
coinminer
conficker
cryptowall
cutwail
cycbot
diaminer
dimnie
dipverdle
dircrypt
dirtjumper
disorderstatus
dmsniff
dofoil
domreg
dorkbot
dorkbot-ssl
dresscode
dybalom
ek.fallout
emoted
emotet
esfury
expiro
exploitkit.fallout
extenbro
fake_cs_updater
fakerean
fallout.exploitkit
fast-flux
fast-flux-double
fast-flux;fast-flux-double
fleercivet
fobber
foxbantrix
foxbantrix-unknown
generic.malware
geodo
gonderici
gootkit
gozi
gspy
gtfobot
hancitor
harnig
htm5player.vast
ibanking
icedid
infected
iotreaper
ip-spoofer
ircbot
isfb
jadtre
jdk-update-apt
js.worm.bondat
junk-domains
kasidet
kbot
kelihos
kelihos.e
keylogger
keylogger-ftp
keylogger-vbklip
kidminer
kingminer
koobface
kraken
kronos
kwampirs
lethic
linux.backdoor.setag
linux.ngioweb
litemanager
loader
locky
loki
lokibot
luminositylink
lurkbanker
madominer
magecart
maliciouswebsites
malvertising.doubleclick
malwaretom
marcher
matrix
matsnu
menupass
mewsspy
miner.monero
minr
mirai
mix2
mkero
monero
mozi
muddywater
murofet
mysafeproxymonitor
nametrick
necurs
netsupport
nettraveler
neurevt
nitol
nivdort
nukebot
null
nymaim
nymain
osx.fakeflash
palevo
pawnstorm
phishing
phishing.cobalt
phishing.cobalt_dickens
phorpiex
pitou
plasma-tomas
ponmocup
pony
poseidon
powerstats
proxyback
pushdo
pws.pony
pykspa
qadars
qakbot
qqblack
qrypter.rat
qsnatch
racoon
ramdo
ramnit
ranbyus
ransom.cerber
ransomware
ransomware.shade
rat.vermin
renocide
revil
rodecap
sality
sality-p2p
servhelper
sgminer
shifu
shiz
sinowal
sisron
sodinokibi
spam
sphinx
spyeye
ssh-brute-force
ssl
ssl-az7
ssl-unknown-bot-test
ssl-vmzeus
stantinko
tdss
teleru
telnet-brute-force
tinba
tinba-dga
trickbot
triton
trojan.click3
trojan.fakeav
trojan.includer
trojan.win32.razy.gen
unknown
unknown-bot-test
valak
vawtrak
vbklip
verst
victorygate.a
victorygate.b
victorygate.c
virut
vmzeus
vobfus
volatile_cedar
vpnfilter_stage3
wannacrypt
wauchos
webminer.cdn
win.neurevt
worm.kasidet
worm.phorpiex
wowlik
wrokni
xbash
xmrminer
xpaj
xshellghost
yoddos
zeus
zeus_gameover
zeus_panda
zloader

Note that this report typically contains data gathered in partnership with other organizations. For data shared from Shadowserver’s sinkholes please explore the Sinkhole HTTP Drone Report and Sinkhole6 HTTP Drone Report reports. Additionally, sinkhole data from Microsoft is shared via the Microsoft Sinkhole Report.

Fields

  • timestamp
    Timestamp when the IP was seen in UTC+0
  • ip
    The IP of the device in question
  • port
    Source port of the IP connection
  • asn
    ASN where the drone resides
  • geo
    Country where the drone resides
  • region
    State or province from the Geo
  • city
    City from the Geo
  • hostname
    Reverse DNS of the IP of the drone
  • type
    Packet type of the connection traffic (UDP/TCP)
  • infection
    Infection name, if known
  • url
    Connection URL, if applicable
  • agent
    HTTP connection agent, if applicable
  • cc_ip
    The Command and Control managing the IP or destination IP that the device in question is observed connecting to
  • cc_port
    Server-side port that the IP connected to
  • cc_asn
    ASN of the C&C
  • cc_geo
    Country of the C&C
  • cc_dns
    For HTTP traffic, the content of the HTTP Host: header — normally the fully qualified domain name of the C&C
  • count
    Number of connections from this drone IP
  • proxy
    If the connection went through a known proxy system
  • application
    Application name / Layer 7 protocol
  • p0f_genre
    Operating System family
  • p0f_detail
    Operating System version
  • machine_name
    Name of the compromised machine
  • id
    Bot ID
  • naics
    North American Industry Classification System Code
  • sic
    Standard Industrial Classification System Code
  • cc_naics
    North American Industry Classification System Code for the C&C IP
  • cc_sic
    Standard Industrial Classification System Code for the C&C IP
  • sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial Facilities, Information Technology
  • cc_sector
    Sector to which the C&C IP belongs
  • ssl_cipher
    SSL Cipher used if connection is done over SSL
  • family
    Malware family, normally the same as infection, if present
  • tag
    Additional information regarding the event, if present
  • public_source
    Source of the event, if present

Sample

"timestamp","ip","port","asn","geo","region","city","hostname","type","infection","url","agent","cc_ip","cc_port","cc_asn","cc_geo","cc_dns","count","proxy","application","p0f_genre","p0f_detail"
"2011-04-23 00:00:05","210.23.139.130",3218,7543,"AU","VICTORIA","MELBOURNE",,"tcp","sinkhole",,,"74.208.164.166",80,8560,"US",,1,,,"Windows","2000 SP4, XP SP1+"
"2011-04-23 00:00:08","115.166.54.44",,9556,"AU","SOUTH AUSTRALIA","ADELAIDE","115-166-54-44.ip.adam.com.au",,"spyeye",,,"94.75.228.147",,16265,"NL","015.maxided.com",1,,,"WINXP",
"2011-04-23 00:00:10","116.212.205.74",48986,9822,"AU","WESTERN AUSTRALIA","PERTH",,"tcp","sinkhole",,,"87.106.24.200",80,8560,"DE",,1,,,"Windows","XP SP1+, 2000 SP3 (2)"
"2011-04-23 00:00:15","58.169.82.113",2423,1221,"AU","TASMANIA","DEVONPORT",,"tcp","sinkhole",,,"87.106.24.200",443,8560,"DE",,1,,,"Windows","2000 SP4, XP SP1+"
"2011-04-23 00:00:26","114.78.17.48",2769,4804,"AU","QUEENSLAND","BRISBANE",,"tcp","sinkhole",,,"74.208.164.166",443,8560,"US",,1,,,"Windows","2000 SP4, XP SP1+"
"2011-04-23 00:00:28","124.190.16.11",4095,1221,"AU","VICTORIA","MELBOURNE",,"tcp","sinkhole",,,"87.106.24.200",443,8560,"DE",,1,,,"Windows","2000 SP4, XP SP1+"
"2011-04-23 00:00:29","124.182.36.33",60837,1221,"AU","WESTERN AUSTRALIA","PERTH",,"tcp","sinkhole",,,"87.106.24.200",443,8560,"DE",,1,,,"Windows","XP/2000 (RFC1323+, w+, tstamp+)"
"2011-04-23 00:00:33","116.212.205.74",23321,9822,"AU","WESTERN AUSTRALIA","PERTH",,"tcp","sinkhole",,,"74.208.164.166",80,8560,"US",,1,,,"Windows","XP SP1+, 2000 SP3 (2)"
"2011-04-23 00:00:36","124.190.16.11",4089,1221,"AU","VICTORIA","MELBOURNE",,"tcp","sinkhole",,,"74.208.164.166",443,8560,"US",,1,,,"Windows","2000 SP4, XP SP1+"
"2011-04-23 00:00:37","165.228.93.207",27105,1221,"AU","NEW SOUTH WALES","SYDNEY",,"tcp","sinkhole",,,"87.106.24.200",443,8560,"DE",,1,,,"Windows","2000 SP4, XP SP1+"

Our 88 Report Types