Blog Archives

Of House Cleaning and Botnet C&C’s

In the last couple of weeks we have dropped almost 2500 C&C’s from our tracking system. This may seem extreme but is was something of a necessity. It should also bring up the question of validity of the rest of our C&C counts that you see.

We have several reason to do this cleaning and it is important for everyone to understand why this is occurring, and why it will occur in the future. About 98% of the C&C’s we have come from the analysis of malware. When we analyze malware and it has network traffic to an IRC server we record that in our tracking system to be followed up on at a future time.

Our tracking system does several automated checks and keeps the state of the ticket up or down depending on the accessibility of the server. This has several issues.

The first is public servers. Most of the public servers work very hard to identify botnet channels and get them shutdown. So if a piece of malware attempted to access a channel on a public server, most will be gone and inaccessible within a week or less. Our tracking system will however still see the server as up and keep the ticket open.

Our solution up to now has been for our diligent engineers to take each ticket and investigate if there really is a botnet there or not and what action should be taken. Being an all volunteer organization means that everyone has day jobs and the amount that we can test on a daily basis is not a very high number. We can only monitor about 500-600 C&C’s on a daily basis using this method.

While not very efficient, it does insure a high accuracy. Pick one or the other but never both.

So as time progressed we started stacking up C&C’s on public servers. Some began having ages of more than a year. In spot checks we could see many of these were actually gone and killed by the opers of the public servers.

So on to the house cleaning. We know we will not get to a lot of these in any short timeframe for validation, so we closed all of those tickets so that the system would no longer check those C&C’s. There is a concern in doing this that we might be closing our view into actual live C&C’s. This is always a possibility, but if another piece of malware comes to us attempting access to that C&C, the ticket will get re-opened automatically. And starting the process all over again.

So if you look at our charts you can see the large decreases, but also see the numbers slowly start creeping up after each mass closure. These are some of those tickets being re-opened or new C&C’s being added to the system all from new malware collected.

We want everyone to understand our actions and why we do certain things. Especially when it concerns any of our public charts. We much prefer as much transparency as possible as to decrease any confusion or speculation on why are charts suddenly take a plunge.

As always we appreciate any comments, concerns, and criticisms on our actions and activity.

Richard