LEGACY: Drone/Botnet-Drone Report

LAST UPDATED: 2021-06-07

LEGACY REPORT

Report discontinued. Replaced by: Drone/Botnet-Drone Report

This report is a list of all the infected machines, drones, and zombies that we were able to capture through various techniques, including sinkholes operated with partners, darknets, honeypots, ips from Spam relays and other partner sources.

Please note this report will be replaced after 2021-06-01 by Darknet Events Report, Sinkhole Events Report, Sinkhole HTTP Events Report.

Some of the IPs will have an infection type. As we’ve grown in size, so have our data sets, requiring us to change our storage technology and methodology. We had to make certain changes to the data sets and have required certain output changes, as well.

What does the C&C really mean?

The IP for the C&C could be a real command and control system that we are (or a partner is) monitoring either directly or passively. It could also be one of the many sinkhole servers that we and our partners operate. If it is a sinkhole server, this means that your IP address reached out and communicated somehow with our server. We cannot issue commands, nor can we control your system from our sinkhole server, since it is a mostly passive capture device. We only harvest the connection information and report it back out.

Why is the C&C set to “0.0.0.0” or blank?

This can occur for several different reasons.

We may not have the C&C IP address, depending on the source of the data and the method of tracking. For example, you could have a drone IP labeled as Spam. Since we extracted the last hop from a Spam message, we do not know the controlling source and cannot report it out.
In the instances where the capture point was our Sinkhole server, we are the C&C in this instance and there is no reason to include our IPs.

If we have the data, we will always include it in the reports. We filter nothing from the data we send out, except to ensure that you receive the data for your responsible area.

What does it really mean when something was tagged as “spam” for a drone?

When we collect Spam messages, the message headers can be almost completely falsified, except the last hop connection before it hits a Spam trap. These are those IPs we are reporting: the ones that somehow relayed or originated the message to the traps.

I found the IP you listed, but my logs show a few hours off. Is your time correct?

All of our logs are in UTC, but we only send out the first event for each IP. There could be dozens or hundreds in a day. Because of the quantity of events on a daily basis, it is not efficient to send out each and every event seen on an IP.

What types of tags are there for drones?

As of January 13th 2021, we have the following tags:

android_spams

android.bakdoor.prizmes

android.bankbot

android.banker.anubis

android.bankspy

android.cliaid

android.darksilent

android.fakeav

android.fakebank

android.fakedoc

android.fakeinst

android.fakemart

android.faketoken

android.fobus

android.fungram

android.geost

android.gopl

android.hiddad

android.hqwar

android.hummer

android.infosteal

android.iop

android.lockdroid

android.milipnot

android.nitmo

android.opfake

android.premiumtext

android.provar

android.pwstealer

android.rootnik

android.skyfin

android.smsbot

android.smssilence

android.smsspy

android.smsspy.be24

android.sssaaa

android.teleplus

android.uupay

android.voxv

avalanche-andromeda

banatrix

bankpatch

bebloh

bedep

betabot

bitcoinminer

blackbeard

blakamba

boinberg

buhtrap

caphaw

carberp

chafer

changeup

chinad

citadel

cobint

coinminer

conficker

cryptowall

cutwail

cycbot

diaminer

dimnie

dipverdle

dircrypt

dirtjumper

disorderstatus

dmsniff

dofoil

domreg

dorkbot

dorkbot-ssl

dresscode

dybalom

ek.fallout

emoted

emotet

esfury

expiro

exploitkit.fallout

extenbro

fake_cs_updater

fakerean

fallout.exploitkit

fast-flux

fast-flux-double

fast-flux;fast-flux-double

fleercivet

fobber

foxbantrix

foxbantrix-unknown

generic.malware

geodo

gonderici

gootkit

gozi

gspy

gtfobot

hancitor

harnig

htm5player.vast

ibanking

icedid

infected

iotreaper

ip-spoofer

ircbot

isfb

jadtre

jdk-update-apt

js.worm.bondat

junk-domains

kasidet

kbot

kelihos

kelihos.e

keylogger

keylogger-ftp

keylogger-vbklip

kidminer

kingminer

koobface

kraken

kronos

kwampirs

lethic

linux.backdoor.setag

linux.ngioweb

litemanager

loader

locky

loki

lokibot

luminositylink

lurkbanker

madominer

magecart

maliciouswebsites

malvertising.doubleclick

malwaretom

marcher

matrix

matsnu

menupass

mewsspy

miner.monero

minr

mirai

mix2

mkero

monero

mozi

muddywater

murofet

mysafeproxymonitor

nametrick

necurs

netsupport

nettraveler

neurevt

nitol

nivdort

nukebot

null

nymaim

nymain

osx.fakeflash

palevo

pawnstorm

phishing

phishing.cobalt

phishing.cobalt_dickens

phorpiex

pitou

plasma-tomas

ponmocup

pony

poseidon

powerstats

proxyback

pushdo

pws.pony

pykspa

qadars

qakbot

qqblack

qrypter.rat

qsnatch

racoon

ramdo

ramnit

ranbyus

ransom.cerber

ransomware

ransomware.shade

rat.vermin

renocide

revil

rodecap

sality

sality-p2p

servhelper

sgminer

shifu

shiz

sinowal

sisron

sodinokibi

spam

sphinx

spyeye

ssh-brute-force

ssl

ssl-az7

ssl-unknown-bot-test

ssl-vmzeus

stantinko

tdss

teleru

telnet-brute-force

tinba

tinba-dga

trickbot

triton

trojan.click3

trojan.fakeav

trojan.includer

trojan.win32.razy.gen

unknown

unknown-bot-test

valak

vawtrak

vbklip

verst

victorygate.a

victorygate.b

victorygate.c

virut

vmzeus

vobfus

volatile_cedar

vpnfilter_stage3

wannacrypt

wauchos

webminer.cdn

win.neurevt

worm.kasidet

worm.phorpiex

wowlik

wrokni

xbash

xmrminer

xpaj

xshellghost

yoddos

zeus

zeus_gameover

zeus_panda

zloader

Note that this report typically contains data gathered in partnership with other organizations. For data shared from Shadowserver’s sinkholes please explore the Sinkhole HTTP Drone Report and Sinkhole6 HTTP Drone Report reports. Additionally, sinkhole data from Microsoft is shared via the Microsoft Sinkhole Report.

Fields

timestamp

Timestamp when the IP was seen in UTC+0
ip

The IP of the device in question
port

Source port of the IP connection
asn

ASN where the drone resides
geo

Country where the drone resides
region

State or province from the Geo
city

City from the Geo
hostname

Reverse DNS of the IP of the drone
type

Packet type of the connection traffic (UDP/TCP)
infection

Infection name, if known
url

Connection URL, if applicable
agent

HTTP connection agent, if applicable
cc_ip

The Command and Control managing the IP or destination IP that the device in question is observed connecting to
cc_port

Server-side port that the IP connected to
cc_asn

ASN of the C&C
cc_geo

Country of the C&C
cc_dns

For HTTP traffic, the content of the HTTP Host: header — normally the fully qualified domain name of the C&C
count

Number of connections from this drone IP
proxy

If the connection went through a known proxy system
application

Application name / Layer 7 protocol
p0f_genre

Operating System family
p0f_detail

Operating System version
machine_name

Name of the compromised machine
id

Bot ID
naics

North American Industry Classification System Code
sic

Standard Industrial Classification System Code
cc_naics

North American Industry Classification System Code for the C&C IP
cc_sic

Standard Industrial Classification System Code for the C&C IP
sector

Sector to which the IP in question belongs; e.g. Communications, Commercial Facilities, Information Technology
cc_sector

Sector to which the C&C IP belongs
ssl_cipher

SSL Cipher used if connection is done over SSL
family

Malware family, normally the same as infection, if present
tag

Additional information regarding the event, if present
public_source

Source of the event, if present

Sample

"timestamp","ip","port","asn","geo","region","city","hostname","type","infection","url","agent","cc_ip","cc_port","cc_asn","cc_geo","cc_dns","count","proxy","application","p0f_genre","p0f_detail"
"2011-04-23 00:00:05","210.23.139.130",3218,7543,"AU","VICTORIA","MELBOURNE",,"tcp","sinkhole",,,"74.208.164.166",80,8560,"US",,1,,,"Windows","2000 SP4, XP SP1+"
"2011-04-23 00:00:08","115.166.54.44",,9556,"AU","SOUTH AUSTRALIA","ADELAIDE","115-166-54-44.ip.adam.com.au",,"spyeye",,,"94.75.228.147",,16265,"NL","015.maxided.com",1,,,"WINXP",
"2011-04-23 00:00:10","116.212.205.74",48986,9822,"AU","WESTERN AUSTRALIA","PERTH",,"tcp","sinkhole",,,"87.106.24.200",80,8560,"DE",,1,,,"Windows","XP SP1+, 2000 SP3 (2)"
"2011-04-23 00:00:15","58.169.82.113",2423,1221,"AU","TASMANIA","DEVONPORT",,"tcp","sinkhole",,,"87.106.24.200",443,8560,"DE",,1,,,"Windows","2000 SP4, XP SP1+"
"2011-04-23 00:00:26","114.78.17.48",2769,4804,"AU","QUEENSLAND","BRISBANE",,"tcp","sinkhole",,,"74.208.164.166",443,8560,"US",,1,,,"Windows","2000 SP4, XP SP1+"
"2011-04-23 00:00:28","124.190.16.11",4095,1221,"AU","VICTORIA","MELBOURNE",,"tcp","sinkhole",,,"87.106.24.200",443,8560,"DE",,1,,,"Windows","2000 SP4, XP SP1+"
"2011-04-23 00:00:29","124.182.36.33",60837,1221,"AU","WESTERN AUSTRALIA","PERTH",,"tcp","sinkhole",,,"87.106.24.200",443,8560,"DE",,1,,,"Windows","XP/2000 (RFC1323+, w+, tstamp+)"
"2011-04-23 00:00:33","116.212.205.74",23321,9822,"AU","WESTERN AUSTRALIA","PERTH",,"tcp","sinkhole",,,"74.208.164.166",80,8560,"US",,1,,,"Windows","XP SP1+, 2000 SP3 (2)"
"2011-04-23 00:00:36","124.190.16.11",4089,1221,"AU","VICTORIA","MELBOURNE",,"tcp","sinkhole",,,"74.208.164.166",443,8560,"US",,1,,,"Windows","2000 SP4, XP SP1+"
"2011-04-23 00:00:37","165.228.93.207",27105,1221,"AU","NEW SOUTH WALES","SYDNEY",,"tcp","sinkhole",,,"87.106.24.200",443,8560,"DE",,1,,,"Windows","2000 SP4, XP SP1+"

Our 131 Report Types

« Back to Network Reporting