Author: P.Hauser (28 Sep 07 11:39am)
Cyveillance unleashed [Part I]
We discovered a source of "data pollution" for the HoneyPot-database. Ironically this source is a security company running its harvesters for chasing webbased malware for their customers. A generic description of the IP-candidates of this company here would be a harvester with
1) no associated mailserver and
2) the user-agent "Mozilla/4.0 (compatible; MSIE 6.0; Windows XP)" or "Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)".
Now what scares me a little concerning Honeypot data is the fact, that this company covered our webspace from 15/May/2005 on with 5 CIDR-24-ranges, which is eqivalent to 1.280 hosts or harvesters! Now you will probably answer that the Honeypot database "trusts" these IPs.
We could receive distinct database generated harvests from this company here from within the ranges of 184.108.40.206/24, 220.127.116.11/24, 18.104.22.168/24, 22.214.171.124/24, 126.96.36.199/24. So far I found the following harvester-IPs of this company here:
188.8.131.52, 184.108.40.206, .38, 220.127.116.11, 18.104.22.168, .237, 239, 22.214.171.124, 123, 124, 125
Other reports say, that this security company uses from 2.888 hosts up to 2.100.040 hosts for their activities. Even if they use only, let's say, 3.000 hosts for their harvests and even if they change the ranges very often for some strategical reason, this will be almost impossible to comment in the Honeypot web-interface for all Spider-IPs. It will lead to false-positive-comments like someone found their harvester-IPs in APEWS, since the security company rented a "dirty" range somewhere.
Thats actually why I put my posting here and not in any IP comment.
Post Edited (28 Sep 07 12:03pm)