Introduction

This report is a list of all the infected machines, drones, and zombies that we were able to capture from the monitoring of IRC Command and Controls, capturing IP connections to HTTP botnets, or the IP's of Spam relays. Some of the IP's will have an infection type, and these will only be for the HTTP bots or the Spam relays.

Why something new? Well as we have grown in size so has our data sets. This required us to change the storage technology and methodology. We had to make certain changes to the data sets and then have required certain output changes as well. These are results of those changes.

Fields

Field Description
Timestamp Timestamp the IP was seen in UTC+0
ip The IP of the device in question
port Source port of the IP connection
asn ASN where the drone resides
geo Country where the drone resides
region State or province from the Geo
city City from the Geo
hostname Reverse DNS of the IP of the drone
type Packet type of the connection traffic (udp/tcp)
infection Infection name if known
url Connection URL if applicable
agent HTTP connection agent if applicable
cc The Command and Control that is managing this IP / destination IP that the device in question is observed connecting to
cc_port Server side port that the IP connected to
cc_asn ASN of the C&C
cc_geo Country of the C&C
cc_dns For HTTP traffic, the content of the HTTP Host: header. Normally the fully qualified domain name of the C&C
count Number of connections from this drone IP
proxy If the connection went through a known proxy system
application Application name / Layer 7 protocol
p0f_genre Operating System family
p0f_detail Operating System version
machine_name Name of the compromised machine
id Bot ID

Sample

"timestamp","ip","port","asn","geo","region","city","hostname","type","infection","url","agent","cc","cc_port","cc_asn","cc_geo","cc_dns","count","proxy","application","p0f_genre","p0f_detail"
"2011-04-23 00:00:05","210.23.139.130",3218,7543,"AU","VICTORIA","MELBOURNE",,"tcp","sinkhole",,,"74.208.164.166",80,8560,"US",,1,,,"Windows","2000 SP4, XP SP1+"
"2011-04-23 00:00:08","115.166.54.44",,9556,"AU","SOUTH AUSTRALIA","ADELAIDE","115-166-54-44.ip.adam.com.au",,"spyeye",,,"94.75.228.147",,16265,"NL","015.maxided.com",1,,,"WINXP",
"2011-04-23 00:00:10","116.212.205.74",48986,9822,"AU","WESTERN AUSTRALIA","PERTH",,"tcp","sinkhole",,,"87.106.24.200",80,8560,"DE",,1,,,"Windows","XP SP1+, 2000 SP3 (2)"
"2011-04-23 00:00:15","58.169.82.113",2423,1221,"AU","TASMANIA","DEVONPORT",,"tcp","sinkhole",,,"87.106.24.200",443,8560,"DE",,1,,,"Windows","2000 SP4, XP SP1+"
"2011-04-23 00:00:26","114.78.17.48",2769,4804,"AU","QUEENSLAND","BRISBANE",,"tcp","sinkhole",,,"74.208.164.166",443,8560,"US",,1,,,"Windows","2000 SP4, XP SP1+"
"2011-04-23 00:00:28","124.190.16.11",4095,1221,"AU","VICTORIA","MELBOURNE",,"tcp","sinkhole",,,"87.106.24.200",443,8560,"DE",,1,,,"Windows","2000 SP4, XP SP1+"
"2011-04-23 00:00:29","124.182.36.33",60837,1221,"AU","WESTERN AUSTRALIA","PERTH",,"tcp","sinkhole",,,"87.106.24.200",443,8560,"DE",,1,,,"Windows","XP/2000 (RFC1323+, w+, tstamp+)"
"2011-04-23 00:00:33","116.212.205.74",23321,9822,"AU","WESTERN AUSTRALIA","PERTH",,"tcp","sinkhole",,,"74.208.164.166",80,8560,"US",,1,,,"Windows","XP SP1+, 2000 SP3 (2)"
"2011-04-23 00:00:36","124.190.16.11",4089,1221,"AU","VICTORIA","MELBOURNE",,"tcp","sinkhole",,,"74.208.164.166",443,8560,"US",,1,,,"Windows","2000 SP4, XP SP1+"
"2011-04-23 00:00:37","165.228.93.207",27105,1221,"AU","NEW SOUTH WALES","SYDNEY",,"tcp","sinkhole",,,"87.106.24.200",443,8560,"DE",,1,,,"Windows","2000 SP4, XP SP1+"

Questions

What does the C&C really mean?

The IP for the C&C could be a real command and control system that we or a partner is monitoring either directly or passively. It could also be one of the many sinkhole server that we and our partners operate. If it is a sinkhole server this means that your IP address reached out and communicated somehow with our server. We cannot issue commands, nor can we control your system from our sinkhole server since it is a mostly passive capture device. We only harvest the connection information and report it back out.

Why is the C&C set to 0.0.0.0 or is blank.

This can occur for several different reasons. We may not have the C&C IP address depending on the source of the data and the method of tracking. For example, you could have a drone IP labeled as Spam. Since we extracted out the last hop from a Spam message we do not know the controlling source, and cannot report it out. In the instances where the capture point was our Sinkhole server, we are the C&C in this instance and there is no reason to include our IP's. If we have the data we will always include it in the reports. We filter nothing from the data we send out except to ensure that you receive the data for your responsible area.

What types of tags are there for drones?

As of Monday, 1 November 2010 we have the following tags:

+--------------------------------------------------+
| tag                                              |
+--------------------------------------------------+
| APT                                              | 
| Artro                                            | 
| avalanche                                        | 
| carberb                                          | 
| Carberp                                          | 
| conficker.ab                                     | 
| conficker.abc                                    | 
| conficker.c                                      | 
| ConfickerC                                       | 
| CVE-2009-4324                                    | 
| data stealer                                     | 
| ddos-russkill                                    | 
| DNSTrojan                                        | 
| downadup                                         | 
| dropper                                          | 
| Fake-AV                                          | 
| fakeav                                           | 
| Gbot                                             | 
| Girlbot Trojan                                   | 
| hereyouhave                                      | 
| honeypot                                         | 
| honeypot-attacker                                | 
| iframe exploit                                   | 
| Kaiten Backdoor                                  | 
| katusha                                          | 
| koobface                                         | 
| licat-zeus                                       | 
| machbot                                          | 
| Mariposa - BlackEnergy Payload                   | 
| Mariposa.A                                       | 
| Mariposa.B                                       | 
| meb                                              | 
| mebroot                                          | 
| mega-d                                           | 
| msvp_ddos                                        | 
| null                                             | 
| Oficla                                           | 
| ozdok                                            | 
| Ponmocup                                         | 
| pushdo                                           | 
| Ramnit                                           | 
| sality                                           | 
| sality2                                          | 
| sality_old                                       | 
| silon                                            | 
| sinkhole                                         | 
| spam                                             | 
| SpyEye                                           | 
| ssh-brute-force                                  | 
| ssh-entered-cmd                                  | 
| ssh-login-fail                                   | 
| ssh-login-success                                | 
| ssh-scan                                         | 
| torpig                                           | 
| trafficcon                                       | 
| trafficconverter                                 | 
| trafficcon~drter                                 | 
| Trojan Jupebot/KNB                               | 
| Unclassified Trojan                              | 
| Unclassified Trojan - first detected 21/Apr/2009 | 
| Unclassified Trojan, first detected 28/Sep/2010  | 
| Unknown Trojan, first detected 14/12/2010        | 
| waledac                                          | 
| Win32/Rimecud.DP                                 | 
| zeus                                             | 
| zeus-dga                                         | 
| zeus-dga_10-08-2010                              | 
+--------------------------------------------------+

What does it really mean when something was tagged as "spam" for a drone?

When we collect Spam messages the message headers can be almost completely falsified, except the last hop connection before it hits a Spam trap. These are those IP's that we are reporting. That IP somehow relayed or originated the message to the traps.

I found the IP you listed, but my logs show a few hours off. Is your time correct?

All of our logs are in UTC, but we only send out the first event for each IP. There could be dozens or hundreds in a day. Because of the quantity of events on a daily basis it is not efficient to send out each and every event seen on an IP.

<< | Reports | >>