Botnet URL Report

This report identifies different URLs captured from botnet communications.

These URLs could up updates for a botnet, a link to something that the criminals thought was interesting, or even vacation pictures of the criminals.

Because it is difficult to know what value anyone may have for any specific URL, no whitelisting occurs to filter any of the information. This means that the result of the report will include sources for criminal behavior, as well as more innocent links oftentimes. All of it has value, in that even the innocent links may provide valuable intelligence on what the criminals are looking toward or are interested in.

Note that all timestamps are in UTC+0.

Fields

  • Date
    Date of the event in UTC+0
  • Time
    Time of the event in UTC+0
  • C&C
    The IP address of the Command and Control system that the URL was seen in
  • C&C Port
    The port of the C&C
  • C&C ASN
    ASN of the C&C
  • C&C Geo
    Country that the C&C resides in
  • Channel
    The channel name that the URL was seen within
  • URL
    The actual URL that was seen
  • URL ASN
    ASN of the location of the URL
  • ASN GEO
    Country location of the URL
  • MD5
    The MD5 of the binary that was download from that URL if there was one to be downloaded

Sample

"Date","Time","C&C","C&C Port","C&C ASN","C&C Geo","Channel","URL","URL ASN","URL Geo","MD5"
"2008-11-03","00:00:01","66.176.218.54",25999,20214,"US","##time##","http://mdprogram.com/html/commonquestions.shtml",33070,"US",""
"2008-11-03","00:00:02","66.176.218.54",25999,20214,"US","##time##","http://www.am.poznan.pl/eng/index.php?strona=3_298_1072544873&am=307",9112,"PL",""
"2008-11-03","00:00:04","66.176.218.54",25999,20214,"US","##time##","http://www.gfforums.com/",32244,"US",""
"2008-11-03","00:00:17","71.6.216.17",6667,10439,"US","","http://www.cmwebhosting.net",10439,"US",""
"2008-11-03","00:00:26","67.202.83.179",6667,32748,"US","","http://kline.rizon.net",29761,"US",""
"2008-11-03","00:00:26","67.202.83.179",6667,32748,"US","","http://kline.rizon.net",29761,"US",""
"2008-11-03","00:00:35","67.202.83.179",6667,32748,"US","","http://kline.rizon.net",29761,"US",""
"2008-11-03","00:01:25","193.200.193.4",6667,25486,"DE","","http://www.cmwebhosting.net",10439,"US",""
"2008-11-03","00:01:58","67.202.83.179",6667,32748,"US","","http://dnsbl.rizon.net/lookup.php?ip=91.93.132.62",22822,"US",""
"2008-11-03","00:02:56","72.20.24.12",6667,25761,"US","#TEST","http://forums.ice-pirate.net/",0,"-",""
"2008-11-03","00:14:55","148.243.143.250",6667,6503,"MX","##nohack##","http://www.myspace.com/",33739,"US",""
"2008-11-03","00:14:55","148.243.143.250",6667,6503,"MX","##nohack##","ftp://pemex@63.171.93.162",1239,"US",""
"2008-11-03","00:14:55","148.243.143.250",6667,6503,"MX","##nohack##","http://seafight.bigpoint.com/",15598,"DE",""
"2008-11-03","00:14:56","148.243.143.250",6667,6503,"MX","##nohack##","ftp://alejandra_1012@200.57.128.172",19373,"MX",""
"2008-11-03","00:14:57","148.243.143.250",6667,6503,"MX","##nohack##","http://amigos.com/go/page/standard_login.html",3561,"US",""
"2008-11-03","00:14:58","148.243.143.250",6667,6503,"MX","##nohack##","http://www.metroflog.com/wendyta08",32400,"US",""
"2008-11-03","00:14:58","148.243.143.250",6667,6503,"MX","##nohack##","http://35.42.42.42/PublicPort/PP-Login",237,"US",""

Our 73 Report Types