Category Archives: Forensics

Grum botnet is staging a comeback

Remember the apparently successful Grum botnet takedown? Well, Grum is staging a comeback. Sure, a few tens of thousands of spam messages in August 2012 doesn’t seem like much compared to the millions in Grum’s heyday in July 2012, yet those new numbers are clearly increasing.

July, August 2012 Grum botnet top 10 ASNs

Let’s compare the July 2012 Grum botnet top 10 ASNs to the August 2012 top 10. Still spewing spam from Grum in August were India’s AS 9829 BSNL-NIB – National Internet Backbone Korea’s AS 4766 KIXS-AS-KR – Korea Telecom and Vietnam’s AS 7643 VNPT-AS-VN – Vietnam Posts and Telecommunications (VNPT). Is there a pattern there? National government-sponsored Internet backbones don’t clean up their spam-spewing botnet act well?

Congratulations to those ASNs missing from the new top 10, which are

Continue reading

TTNET ejected Festi but still infested with Lethic and other botnets 2012-07,2012-08

Congratulations to Turkey's TTNET's AS 9121 for getting Festi botnet spam down from more than a million messages a day to less than 100,000!

Linear

However, Festi is still in there, and TTNET has other problems, as well, including Lethic, Cutwail, Waledac, Maazben, and even Grum(!) botnets, plus Sendsafe.

Continue reading

John Quarterman on Mapping Spam and Politics (audio)

At a meeting on a completely different subject, I was interviewed about SpamRankings.net. Here's the audio, and here's the blurb they supplied:

John S. Quarterman, long time Internet denizen, wrote one of the seminal books about networking prior to the commercialization of the Internet. He co-founded the first Internet consulting firm in Texas (TIC) in 1986, and co-founded one of the first ISPs in Austin (Zilker Internet Park, since sold to Jump Point). He was a founder of TISPA, the Texas ISP Association. Quarterman was born and raised in Lowndes County, where he married his wife Gretchen. They live on the same land where he grew up, and participate in local community and government.

Quarterman took some time during Georgia River Network's Weekend for Rivers to speak with the Nonprofit Snapshot about spam-mapping and small town politics.

More about Elinor Ostrom's Nobel-prize-winning work on organizing the commons, and how that applies to SpamRankings.net.

The water organization has since been incorporated as the Georgia non-profit WWALS Watershed Coalition:

WWALS is an advocacy organization working for watershed conservation of the Willacoochee, Withlacoochee, Alapaha, and Little River Systems watershed in south Georgia and north Florida through awareness, environmental monitoring, and citizen advocacy.

-jsq

eHealth Ontario tops worldwide medical spammers SpamRankings.net

Joining the festival of the Festi botnet, eHealth Ontario’s AS 21992 SSHA-ONE-ASN made #1 in the July 2012 worldwide medical spam SpamRankings.net from CBL data, the first Canadian organization to do that. The same ASN did make #2 back in November 2011 and #5 in June 2011.

2011
Mar		 Apr May Jun Jul Aug Sep Oct Nov Dec 2012
Jan		 Feb Mar Apr May Jun Jul
9 7 41 5 6 41 6 5 2 7 41 43 42 41 41 6 1

The blue dotted line indicates spam from Festi, which, as you can see, tracks pretty closely with total spam seen from AS 21992.

eHealth Ontario infested by Festi botnet

Is it a Festi epidemic?

-jsq

Festi botnet in July 2012 U.S. Medical SpamRankings.net from CBL

AS 122 U-PGH-NET-AS The curve that took University of Pittsburgh Medical Center‘s AS 122 U-PGH-NET-AS to number one in the July 2012 U.S. SpamRankings.net from CBL data is almost completely explained by Festi botnet, except for one day, plus the small curve at the beginning of the month was apparently caused by Grum botnet.

AS 17311 ECMC-BGP was infested with Festi (blue curve on the right) at the same time as AS 122, and AS 17311 earlier had a Cutwail botnet

Continue reading

Pittsburgh back in the top 10 for spam from U.S. medical organizations

And this time it's #1 in the July 2012 U.S. SpamRankings.net from CBL data:

AS 122 U-PGH-NET-AS in the same ranking over time:

2011
Mar 		Apr May Jun Jul Aug Sep Oct Nov Dec 2012
Jan 		Feb Mar Apr May Jun Jul
34 32 32 8 31 8 4 29 32 33 30 32 29 6 5 9 1

University of Pittsburgh Medical Center's AS 122 U-PGH-NET-AS and Erie County Medical Center's AS 17311 ECMC-BGP not only took #1 and #2, they also spammed longer than other medical ASNs. That jumped them up 8 ranks each in one month.

-jsq

WIN finally got the no medical spam memo in March 2012

There’s a new development since we summarized A Year of SpamRankings.net: Medical Organizations. Chronic spamming medical organization WIN of Belgium finally dropped out of the July 2012 top 10 with its 9208 ASN, as you can see in the chronic ranking compilation:

Date:2011
Mar		 Apr May Jun Jul Aug Sep Oct Nov Dec 2012
Jan		 Feb Mar Apr May Jun Jul
Volume 26,737 33,000 10,851 31,183 33,930 48,342 13,454 5,992 16,838 32,058 10,272 15,273 7,331 693 270 329 21
Rank 1 2 1 2 1 1 1 1 1 1 1 1 1 2 5 3 11

It looks like WIN finally got the memo in March 2012 and has been improving since then.

Congratulations, WIN!

WIN finally went to zero

-jsq

Festi botnet infesting the world, July 2012

Autonomous Systems (ASes) infested with Festi botnet spammed more than any others worldwide, pushing whole new countries such as Saudi Arabia and Turkey into the top of the top 20 countries in the July SpamRankings.net, and pushing India to number 1 worldwide. . Here we look at the top 10 ASes infested by Festi.

Taking off like a rocket was SaidiNet's AS 25019 SAUDINETSTC-AS of Saudi Arabia. Rising almost as fast was National Internet Backbone's AS 9829 BSNL-NIB of India. Also on an upwards path was academic network AS 8386 KOCNET of Turkey.

Linear Top 10 ASNs with Festi botnet

Linear Top 10 ASNs with Festi botnet
Chart by John S. Quarterman for SpamRankings.net.

Maybe already peaked were AS 24560 AIRTELBROADBAND-AS-AP – Bharti Airtel Ltd. AS 9121 TTNET – TTnet AS AS 17813 MTNL-AP – Mahanagar Telephone Nigam Ltd. and AS 18101 RIL-IDC – Reliance Infocom Ltd Internet Data Centre

We will examine Festi more in later blog posts.

-jsq

Grum down, but… 1 June 2012 – 30 July 2012, SpamRankings.net

Here is the promised followup to our look at the Grum botnet takedown, in which we have good news and not so good news.

A week ago we didn’t see much effect. As we noted, that was possibly because the takedown took down the command and control nodes, presumably leaving the bots still spewing whatever spam campaign they had already queued up.

Well, apparently that campaign ran out, because they stopped spewing. Here is an updated graph of grum botnet and its top 10 ASNs:

Grum botnet and its top 10 ASNs

Grum botnet and its top 10 ASNs
Graph by John S. Quarterman for SpamRankings.net.

The updated Top 10 Botnets graph has good news and bad news:

Continue reading

Spam from Microsoft’s AS 8075 April 2011-June 2012

As we’ve seen, Microsoft’s AS 8075 is back on top in the June 2012 SpamRankings.net from PSBL data. Actually, AS 8075 is a chronic offender, having been #1 numerous times, often placing in the top 10, and (we can see in internal data) never going below #38:

2011
Apr		MayJunJulAugSepOctNovDec2012
Jan		FebMarAprMayJun
1123410373738821121

Also, CBL does often see spam from AS 8075 at the same time PSBL does, even though CBL has never seen enough spam from that ASN for it to place in the U.S. top 10 from CBL data.

Volume data from PSBL and CBL graphed by SpamRankings.net

Volume data from PSBL and CBL aggregated and interpreted by SpamRankings.net
Graph by John S. Quarterman for SpamRankings.net.

That’s a pretty dense graph, and internally it’s interactive for easy interpretation, but the dark purple line is PSBL volume and the lines with dots are various botnets and the like detected for AS 8075 by CBL. We can drill down to which IP addresses are producing the spam indicated by such rankings and graphs.

The main point is even mighty Microsoft often emits spam. Any big corporation is likely to have similar problems, because, like in the case of medical organizations, they’re likely to have some employees who will fall for phishing or other exploits. Even the most Internet-security-savvy organization can’t catch them all. SpamRankings.net can help with that, both by providing incentive (do you want your organization to be at the top of the rankings?) and by providing drilldowns to help localize the problem (so you can fix it and brag about dropping off the rankings).

-jsq