Kelihos and Maazben botnets in U.S. October 2012

We’ve seen that botnets Kelihos and Maazben account for most of the spam seen from the entirely-new worldwide top 10 in the October 2012 Kelihos rampage. What about a specific country? The October 2012 U.S. from CBL data U.S. top 10 are also entirely new (since last month): are all those U.S. ASNs ranked like that because of the Kelihos rampage? Two clues indicate yes: the shapes of the U.S. curves are very similar to those of the worldwide rankings, and the U.S. top 3 are in the worldwide top 10. But what about the rest of the U.S. top 10? Let’s drill down to botnets in U.S. October 2012 from CBL data:

Botnets in U.S. October 2012 from CBL data

We can see 9 out of the U.S. top 10 are there mostly because of Maazben or Kelihos, often alternating for the same ASN, in the same pattern as for the worldwide top 10. So yes, 9 are in the U.S. top 10 because of the Kelihos rampage.

The one exception is U.S. #10, AS 6428 CDM, which we’ve seen snowshoe itself to the top of the world rankings for May 2012, so it’s not surprising that CDM still has snowshoe problems.

Snowshoe spam and AS 6428 CDM in U.S. October 2012 from CBL data

This time CDM seems to have recovered pretty quickly, actually.