ATLAS Summary Report: Global Botnets

Summary Report

Global Botnets

View:
Port Summary
C&C Servers

Output:
Print
XML
CSV

Port Summary (past 24 hours)

Server Port	Number of Servers	Percentage
6667	241	47.2%
7000	19	3.7%
8080	14	2.7%
1863	7	1.4%
81	6	1.2%
80	6	1.2%
6669	6	1.2%
25999	5	1.0%
6666	4	0.8%
4244	4	0.8%
other	199	38.9%

C&C Servers (past 24 hours)

By Country

Country	Number of servers	Percentage
US (United States)	207	40.5%
CA (Canada)	61	11.9%
DE (Germany)	38	7.4%
GB (Great Britain)	20	3.9%
RU (Russian Federation)	13	2.5%
KR (South Korea)	11	2.2%
JP (Japan)	11	2.2%
FR (France)	11	2.2%
IL (Israel)	10	2.0%
TW (Taiwan)	9	1.8%
Other	120	23.5%

By ASN

ASN	Number of servers	Percentage
AS23522 (Unknown)	84	16.4%
AS25761 (Unknown)	21	4.1%
AS30083 (Unknown)	12	2.3%
AS27524 (XEEX-COMMUNICATIONS)	11	2.2%
AS21844 (THEPLANET-AS)	10	2.0%
AS8001 (Unknown)	8	1.6%
AS30058 (FDCSERVERS)	8	1.6%
AS35908 (VPLSNET)	7	1.4%
AS7132 (Unknown)	6	1.2%
AS31400 (Unknown)	6	1.2%
Other	338	66.1%

By Host

Host	Number of servers	Percentage
99.128.210.89	1	0.2%
93.187.201.49	1	0.2%
93.187.201.47	1	0.2%
92.62.101.6 (ds6.esthost.eu)	1	0.2%
92.23.61.95	1	0.2%
92.16.11.207	1	0.2%
92.0.96.34 (host-92-0-96-34.as43234.net)	1	0.2%
91.200.45.50	1	0.2%
91.192.36.142	1	0.2%
91.191.166.183	1	0.2%
Other	501	98.0%

Background

Botnets are collections of compromised hosts that attackers remotely control for their own nefarious purposes.

Once installed and running, a malicious bot will attempt to connect to a remote server to receive instructions on what actions to take. The most common command and control (C&C) protocol used for this is Internet Relay Chat (IRC). While a legitimate protocol for online chat, IRC is often used by attackers due to the relative simplicity of the protocol along with the ready availability of bot software written to use it. After connecting, a bot-controlled host can be controlled by an attacker and commanded to conduct malicious actions such as sending spam, scanning the Internet for other potentially controllable hosts, or launching DoS attacks.

ATLAS maintains a real-time database of malicious botnet command and control servers that is continuously updated. This information comes from malware analysis, botnet infiltration, and other sources of data.