Twin Kelihos infections in twin countries!
Canada
in both
CBL
and
PSBL
rankings shows
tandem spam volume curves for
Bell Canada‘s
AS577 BACOM
and for
Shaw Communications
AS6327 SHAW.
Meanwhile,
Belgium
in both
CBL
and
PSBL
rankings
shows tandem curves for
Brutele‘s
AS12392 ASBRUTELE
and for
Belgacom‘s
AS5432 BELGACOM-SKYNET-AS.
This is not a coincidence, since all four networks show Kelihos infections in the CBL data.
-jsq
Canada’s
The Hospital for Sick Children
AS 46626 SICKKIDS-AS-01
dropped out of the
May 2013
for world medical organizations from CBL data.
In
April they ranked #1 with 21,912 spam messages,
and in May they dropped to #27 with only 28 messages.
In April they really only spammed for one week, as you can see
in the big spike in the graph.
Of course, the hospital itself probably didn’t knowingly send the spam;
usually they’ve been compromised by botnets or phishing or some other breach,
but hospital patients and other customers won’t necessarily know that
if they receive some of it.
And if their security is lax enough to let in things that emit spam,
what else has been compromised?
This is why hospitals are quick to squelch outgoing spam and fix
the underlying security problems.
-jsq
McAfee PR of today,
McAfee Quarterly Threat Report Sees Social Media Worm Resurgence as Spam Rises Dramatically:
Targeted Attacks Continue Rise; “Pump and Dump” Returns
with Record Stock Market Highs
McAfee Labs today released the McAfee Threats Report: First Quarter 2013, which reported a significant spike in instances of the Koobface social networking worm and a dramatic increase in spam. McAfee Labs also saw continued increases in the number and complexity of targeted threats, including information-gathering Trojans and threats targeting systems’ master boot records (MBRs).
McAfee Labs found almost three times as many samples of Koobface as were seen in Continue reading
The big winner was AS 7788 MAGMA-COMM, which dropped from #3 to #147
by decreasing from millions to less than a thousand spam messages in the
January 2013
for
Canada.
Magma had a brief spate of Kelihos spam in the middle of the month,
but it only lasted less than a week.
Almost as good was AS 6407 PRIMUS-AS6407, dropping from millions
the previous month to a few hundred thousand, and from #6 to #11.
That one while beating its Kelihos problem, seems to have developed
a Cutwail problem, which was sending increasingly
more spam at the end of the month.
Since
Magma was bought by Primus in 2004,
Primus gets double congratulations!
-jsq
For two months in a row, DorukNet’s AS 8685 has spammed the most
in the
January 2013
for
Turkey from CBL data.
Before that, it was #6 in November 2012 and also #6 April 2011.
In April 2011 the problem was apparently Lethic with a max of 87,852 on 1 April 2011. DorukNet seemed to have a bit of maazben, cutwail, etc. at that time, but very little compared to Lethic.
In November 2012 the problem was apparently Kelihos with a max of 299,873 on 7 November 2012.
This recent DorukNet peak that looks like Mt. Ararat was up to 13,569,282 on 18 January 2013, apparently from darkmailer2. DorukNet is actually improving since that peak, but meanwhile it managed to increase its December spam total of 54,803,032 to 324,544,788 in January 2013.
Continue reading
#1 AS 8685
DORUKNET,
#3 AS 42910 SADECEHOSTING-COM,
and #5 AS 34984 TELLCOM-AS
all ran up in the last two weeks,
and all three show darkmailer2.
December 2012
for
Turkey.
DORUKNET sent a third of all top 10 spam from Turkey to rank number 1,
but
SADECEHOSTING-COM wins most worsened, for
jumping up 21 ranks from 24 to 3, by sending
more than 300 times as much spam as the previous month.
#8 AS 39582 GRID and
#9 AS 43391 NETDIREKT-TR
both jumped up 25 ranks, but each managed “only” less than 100 times
as much spam as last month.
AS 44922 MEDYABIM-AS
gets most improved for actually going to zero,
even though it had already spammed enough to keep it at #4.
#6 AS 34619 tried to zero, but got to spamming again.
AS 8386 KOCNET looks like it’s finally getting a grip,
improving from #2 to #7,
sending about a third as many spam messages as the previous month.
Special congratulations to
AS 44565 VITAL
for a huge improvement! Congratulations to Niobe,
Dogan, and Kibris for improving. And boo to
TurkNet
for actually spamming more even though it got pushed down out of the top 10.
-jsq
Even while spamming a lot less,
AS 44565 VITAL still placed #1 again for spewing spam from Turkey
in the
November 2012
from CBL data.
Even as Vital got a handle on
its Kelihos problem,
AS 8386 KOCNET improved twice.
Maybe KOCNET is finally getting a grip on
its Festi problem.
KOCNET’s peak of 0.8 million messages in November is a lot less than
its peak of 1.3 million in September, although still far too many.
-jsq
OVH won again, more than doubling its spam spew of last month!
This is in the
November 2012
from CBL data.
Is that 407,726,779 spam messages in a single month a record?
Last month it was Kelihos.
This month it looks like darkmailer.
-jsq
Turkey, like
Belgium,
Canada,
U.S.,
and
the world,
has a Kelihos rampage problem in
from CBL data
for October 2012.
New Turkish #1 spammer AS 44565 VITAL TEKNOLOJI shows all the signs: rapidly increasing spamming and both Maazben and Kelihos botnets.
The other new Turkish top 10 ASNs, AS 42868 NIOBE AS 44922 MEDYABIM-AS, AS 12599 ATLAS-AS AS 49632 DATATELEKOM and AS 12987 OMURGA, all show lesser but still distinctive signs of the Kelihos rampage, namely Maazben botnet plus other unknown botnets. They all also only surged for a week or two, while Vital continued upwards.
-jsq
Belgium has a Kelihos problem in
from CBL data
for October 2012.
#1 Mobistar’s AS 12493 and #2 Telenet’s AS 6848 were spewing spam from
Kelihos, pushing all the other ASNs down the rankings.
Kelihos rampage: it’s not just for
north America!
A few other botnets have a bit of Kelihos, but only the top 2 for Belgium are part of the Kelihos rampage. (Newcomer AS 9031 EDPNET has a Cutwail problem.)
-jsq