LEGACY: Botnet Drone Hadoop Report

LAST UPDATED:  2021-04-01

LEGACY REPORT

This report lists all the infected machines, drones, and zombies we were able to capture from the monitoring of IRC Command and Controls, the capturing of IP connections to HTTP botnets, or the IPs of Spam relays.

Some of the IPs will have an infection type, and these will only be for the HTTP bots or the Spam relays.

As we have grown in size, so have our data sets, requiring us to change our storage technology and methodology. We had to make certain changes to the data sets, which have then required certain output changes as well.

What does the C&C really mean?

The IP for the C&C could be a real command and control system that we or a partner is monitoring either directly or passively. It could also be one of the many sinkhole servers that we and our partners operate. If it is a sinkhole server, this means that your IP address reached out and communicated somehow with our server. We cannot issue commands, nor can we control your system from our sinkhole server, since it is a mostly-passive capture device. We only harvest the connection information and report it back out.

Why is the C&C blank or set to 0.0.0.0?

This can occur for several reasons. We may not have the C&C IP address, depending on the source of the data and the method of tracking. For example, you could have a drone IP labeled as Spam. Since we extracted only the last hop from a Spam message, we do not know the controlling source and cannot report on it.

In the instances where the capture point was our Sinkhole server, we are the C&C in this instance, and there is no reason to include our IPs.

If we have the data, we will always include it in the reports. We filter nothing from the data that we send, except to ensure that you receive only the data for your area of responsibility.

What types of tags are there for drones?

As of Monday, 1 November 2010, we have the following tags:

  • APT
  • Artro
  • avalanche
  • carberb
  • Carberp
  • conficker.ab
  • conficker.abc
  • conficker.c
  • ConfickerC
  • CVE-2009-4324
  • data stealer
  • ddos-russkill
  • DNSTrojan
  • downadup
  • dropper
  • Fake-AV
  • fakeav
  • Gbot
  • Girlbot Trojan
  • hereyouhave
  • honeypot
  • honeypot-attacker
  • iframe exploit
  • Kaiten Backdoor
  • katusha
  • koobface
  • licat-zeus
  • machbot
  • Mariposa – BlackEnergy Payload
  • Mariposa.A
  • Mariposa.B
  • meb
  • mebroot
  • mega-d
  • msvp_ddos
  • null
  • Oficla
  • ozdok
  • Ponmocup
  • pushdo
  • Ramnit
  • sality
  • sality2
  • sality_old
  • silon
  • sinkhole
  • spam
  • SpyEye
  • ssh-brute-force
  • ssh-entered-cmd
  • ssh-login-fail
  • ssh-login-success
  • ssh-scan
  • torpig
  • trafficcon
  • trafficconverter
  • trafficcon~drter
  • Trojan Jupebot/KNB
  • Unclassified Trojan
  • Unclassified Trojan – first detected 21/Apr/2009
  • Unclassified Trojan, first detected 28/Sep/2010
  • Unknown Trojan, first detected 14/12/2010
  • waledac
  • Win32/Rimecud.DP
  • zeus
  • zeus-dga
  • zeus-dga_10-08-2010

What does it really mean when something was tagged as “spam” for a drone?

When we collect Spam messages, the message headers can be almost completely falsified, except the last hop connection before it hits a Spam trap. These are the IPs that we are reporting. That IP somehow relayed or originated the message to the traps.

I found the IP you listed, but my logs show a few hours off. Is your time correct?

All of our logs are in UTC, but we only send out the first event for each IP. There could be dozens or hundreds in a day. Because of the quantity of events on a daily basis, it is not practical to send out each and every event seen on an IP.

Fields

  • timestamp
    Timestamp the IP was seen in UTC+0
  • ip
    The IP of the device in question
  • port
    Source port of the IP connection
  • asn
    ASN where the drone resides
  • geo
    Country where the drone resides
  • region
    State or province from the Geo
  • city
    City from the Geo
  • hostname
    Reverse DNS of the IP of the drone
  • type
    Packet type of the connection traffic (udp/tcp)
  • infection
    Infection name if known
  • url
    Connection URL if applicable
  • agent
    HTTP connection agent if applicable
  • cc_ip
    The Command and Control that is managing this IP / destination IP that the device in question is observed connecting to
  • cc_port
    Server side port that the IP connected to
  • cc_asn
    ASN of the C&C
  • cc_geo
    Country of the C&C
  • cc_dns
    For HTTP traffic, the content of the HTTP Host: header; normally the fully qualified domain name of the C&C
  • count
    Number of connections from this drone IP
  • proxy
    If the connection went through a known proxy system
  • application
    Application name / Layer 7 protocol
  • p0f_genre
    Operating System family
  • p0f_detail
    Operating System version
  • machine_name
    Name of the compromised machine
  • id
    Bot ID
  • naics
    North American Industry Classification System Code
  • sic
    Standard Industrial Classification System Code
  • cc_naics
    North American Industry Classification System Code for the C&C IP
  • cc_sic
    Standard Industrial Classification System Code for the C&C IP
  • sector
    Sector the IP in question belongs to; e.g., Communications, Commercial Facilities, Information Technology
  • cc_sector
    Sector the C&C IP belongs to
  • ssl_cipher
    SSL Cipher used if connection is done over SSL
  • family
    If present: malware family, normally the same as infection
  • tag
    If present: additional information regarding the event
  • public_source
    If present: source of the event

Sample

"timestamp","ip","port","asn","geo","region","city","hostname","type","infection","url","agent","cc_ip","cc_port","cc_asn","cc_geo","cc_dns","count","proxy","application","p0f_genre","p0f_detail"
"2011-04-23 00:00:05","210.23.139.130",3218,7543,"AU","VICTORIA","MELBOURNE",,"tcp","sinkhole",,,"74.208.164.166",80,8560,"US",,1,,,"Windows","2000 SP4, XP SP1+"
"2011-04-23 00:00:08","115.166.54.44",,9556,"AU","SOUTH AUSTRALIA","ADELAIDE","115-166-54-44.ip.adam.com.au",,"spyeye",,,"94.75.228.147",,16265,"NL","015.maxided.com",1,,,"WINXP",
"2011-04-23 00:00:10","116.212.205.74",48986,9822,"AU","WESTERN AUSTRALIA","PERTH",,"tcp","sinkhole",,,"87.106.24.200",80,8560,"DE",,1,,,"Windows","XP SP1+, 2000 SP3 (2)"
"2011-04-23 00:00:15","58.169.82.113",2423,1221,"AU","TASMANIA","DEVONPORT",,"tcp","sinkhole",,,"87.106.24.200",443,8560,"DE",,1,,,"Windows","2000 SP4, XP SP1+"
"2011-04-23 00:00:26","114.78.17.48",2769,4804,"AU","QUEENSLAND","BRISBANE",,"tcp","sinkhole",,,"74.208.164.166",443,8560,"US",,1,,,"Windows","2000 SP4, XP SP1+"
"2011-04-23 00:00:28","124.190.16.11",4095,1221,"AU","VICTORIA","MELBOURNE",,"tcp","sinkhole",,,"87.106.24.200",443,8560,"DE",,1,,,"Windows","2000 SP4, XP SP1+"
"2011-04-23 00:00:29","124.182.36.33",60837,1221,"AU","WESTERN AUSTRALIA","PERTH",,"tcp","sinkhole",,,"87.106.24.200",443,8560,"DE",,1,,,"Windows","XP/2000 (RFC1323+, w+, tstamp+)"
"2011-04-23 00:00:33","116.212.205.74",23321,9822,"AU","WESTERN AUSTRALIA","PERTH",,"tcp","sinkhole",,,"74.208.164.166",80,8560,"US",,1,,,"Windows","XP SP1+, 2000 SP3 (2)"
"2011-04-23 00:00:36","124.190.16.11",4089,1221,"AU","VICTORIA","MELBOURNE",,"tcp","sinkhole",,,"74.208.164.166",443,8560,"US",,1,,,"Windows","2000 SP4, XP SP1+"
"2011-04-23 00:00:37","165.228.93.207",27105,1221,"AU","NEW SOUTH WALES","SYDNEY",,"tcp","sinkhole",,,"87.106.24.200",443,8560,"DE",,1,,,"Windows","2000 SP4, XP SP1+"

Our 132 Report Types