Kortech.cn Botnet Activities

Kortech.cn is a Chinese website, located in Shangai China.

Since the start of our HoneyNet in Feb. 2009 we have directly observe that one “Tier RFI” where located on Kortech.cn and participate actively to a bonnet propagation.

Kortech.cn server, how is hosting the major botnet script, has the IP 218.5.74.92. Since Feb. 2009 to end Jun 2010, FileAve.com botnet is composed of 39 different malware hosters, has generate 8 134 events and 353 attackers have call the botnet files located on the hosters servers.

China, Germany, Colombia and South Korea are the countries how are the most participating to the botnet activity in term of events. China, South Korea, Germany and US are the countries how are hosting part of the botnet since more than 100 days.

March 2010 was the more active month in term of events, April 2009 the month with the most distinct attackers and March 2010 the month with the most detected hosters. Since December 2009 we can see that the activity of the botnet is increasing.

Interesting point the FileAve.com Botnet and the Kortech.cn Botnet are linked together between some few hosters. Just check the available Afterglow visualization of the interaction between the two botnets.

I have generate some stats and graphs, with all the associated raw datas how are available here.