Damballa's analysis of botnet C&C servers criticised
The analysis by anti-botnet specialist Damballa which concluded that the 1&1 web hosting service and ISP is particularly popular with botnet command and control (C&C) servers has been severely criticised. Damballa based its statement on analyses which appear to show that 11% of all C&C servers can be traced back to the networks of German provider 1&1.
According to various botnet specialists and a statement by 1&1 press spokesman Michael Frenzel, apparently Damballa's list of suspicious servers was flawed. Damballa has since deleted the blog posting about the statistics.
When inspecting Damballa's list of alleged C&C servers, Thorsten Holz of the German Honeynet Project soon identified dozens of harmless domains. For instance, Damballa apparently mistook name and mail servers run by GMX, 1&1 and German Telekom for command and control servers. Furthermore, Damballa reportedly didn't take into consideration "sinkhole" domains.
Sinkhole domains are used for redirecting the communication between bots and their C&C server. To achieve this, providers simply manipulate the name resolution to make the bots contact a harmless server. This prevents the bots from accepting new commands and from returning collected data – and 1&1 has implemented a large number of these sinkholes, for instance for the Torpig banking trojan.
Damballa should really know about such defence mechanisms, as they themselves use this technology to analyse botnets. Whether including the sinkhole domains resulted in this drastic statistical distortion remains an open question. The H's associates at heise Security have asked Damballa to explain the flawed list, but have so far not received a reply.
1&1 spokesman Frenzel said that his company knows of no C&C servers currently in operation in its networks. He said one reason for this are 1&1's efficient take-down procedures for C&C servers. The company reportedly has a team of 40 anti-abuse specialists who work around the clock and can respond very quickly.