Category Archives: Forensics

Grum and other botnets, 1 June 2012 – 19 July 2012, SpamRankings.net

Apparently the grum botnet has been taken down, or at least its command and control structure. We don’t see a lot of change yet, but we’ll keep watching.

BBC News wrote today, Huge spam botnet Grum is taken out by security researchers: A botnet which experts believe sent out 18% of the world’s spam email has been shut down, a security firm said.

Security company FireEye and spam-tracking service SpamHaus worked with local internet service providers (ISPs) to shut down the illegal network….

“Grum’s takedown resulted from the efforts of many individuals,” wrote Atif Mushtaq, a security researcher with FireEye.

“This collaboration is sending a strong message to all the spammers: Stop sending us spam. We don’t need your cheap Viagra or fake Rolex.”

Well, let’s have a look. Here are the top 10 botnets for 1 June 2012 through today (GMT, i.e., really yesterday):

Top 10 Botnets

Dropouts on 26,27 June 2012 were due to software glitches on our end.
Graph by John S. Quarterman for SpamRankings.net from CBL data.

Grum is that blue-green line running near the bottom, showing about 1 to 2 million spam messages a day. Grum was the third spammiest botnet during that period (not counting n/a, which is spam detected without having to dig into what botnet it came from), so taking grum down is a big deal. However, we don’t really see Continue reading

Microsoft back on top in June SpamRankings.net

1 (2) AS 8075 MICROSOFT-CORP—MSN-AS-BLOCK
2 (1) AS 36692 OPENDNS
3 (-) AS 26769 BANDCON
4 (-) AS 22414 CRAIGS-NET-1
5 (-) AS 22822 LLNW
6 (-) AS 10912 INTERNAP-BLK

Beating even OPENDNS, Microsoft took #1 in U.S. PSBL June 2012 rankings.

Microsoft was last on top in the same rankings for April 2012. I thought Microsoft was a leader in Internet security?

In other news, Bell Canada’s AS 577 BACOM actually dropping off the Canadian June 2012 rankings from CBL data. Shaw took #1 and Iweb dropped to #2.

We have a new medical winner! It’s Hartford Hospital’s AS 11047 HHCC-ASN1. Gaining altitude at the end of the month was Joan and Sanford I. Weill Medical College and Graduate School of Medical Sciences of Cornell University with AS 20252 JSIWMC.

More on those and other developments in later blog posts.

-jsq

 

Almost… FortressITX zero spam for one day then up in SpamRankings.net

AS 25653 FortressITX went to zero for one day, 15 May, in the May 2012  U.S. SpamRankings.net, but bounded back up to more than 294,000 spam messages a day a week later, placing #6 for the month as a whole.

This was the second time FortressITX made the U.S. top 10. It had been #9 in March, but had dropped out of the April 2012 U.S. rankings. And yes, it’s snowshoe spam. That ASN does show a few other problems, also not botnets.

-jsq

Cleveland Clinic wins one way, then another, in SpamRankings.net

1(4)AS 22093 CCF-NETWORKUnited States US
2(-)AS 27609 USC-UNIVERSITY-HOSPITALUnited States US
3(1)AS 25611 NSLIJHSUnited States US
4(-)AS 19335 APRIA-HEALTHCAREUnited States US
5(2)AS 9208 WINBelgium BE
6(7)AS 122 U-PGH-NET-ASUnited States US
Cleveland Clinic took #1 in the May 2012 worldwide medical SpamRankings.net. So Cleveland Clinic’s AS 22093 won the worldwide medical rankings by spamming the most of any medical organization worldwide, as found in CBL blocklist data. Boo Cleveland Clinic!

Yet AS 22093 CCF-NETWORK dropped like a rock on 7 May 2012, going to zero the next day, and staying there. So Cleveland Clinic also was most improved for May 2012 medical organizations. Congratulations, Cleveland Clinic!

This feat of IT security cleanliness shouldn’t have been hard for CCF, since AS 22093 CCF-NETWORK seems to have had a Lethic problem, which CBL saw on no more than 3 hosts. Sure, there could have been more hosts infected than that, and CBL just might not have seen them all. But 3 is far smaller than what CBL sees for a typical botnet infection, so the number of infected hosts probably was quite small. Which means it should have been easy for CCF to find them all and fix them.

Hm, maybe being #4 last month gave CCF some incentive?

-jsq

Canada, land of spam plateaus on SpamRankings.net

Snowshoe spam took #1 in Canada again, through AS 32613 IWEB-AS, on the May 2012 SpamRankings.net. That was the first week of a spam plateau per ASN. The next week saw a platau for AS 33139 CANACA-210. And the next week it was AS 6407 PRIMUS. Canada, land of spam plateaus! Does this mean spammers are shifting from ASN to ASN for successive weeks of spam campaigns?

The old-time winners, AS 6327 SHAW and AS 577 BACOM, kept spamming away, and came in #2 and #6 again. That’s in the rankings from CBL data. In rankings from PSBL data, IWEB, SHAW, and BACOM were #1, #2, and #3.

We actually saw less spam in May (CBL data) from Bell Canada’s BACOM than for any month since March 2011, the first month of rankings for SpamRankings.net. Congratulations Bell Canada!

The rest of the top six were upstarts, not much seen until recently. Iweb did make a bid for the top back in September 2011, but its recent predominance dates only from February of this year.

-jsq

SuperOnline dropped off May 2012 Turkey top 10 SpamRankings.net

Congratulations to Turkcell SuperOnline‘s AS 34104 GLOBAL 64,658 for dropping off of the top 10 spamming ASN’s for Turkey in the May 2012 SpamRankings.net!

It was replaced in the Turkish top 10 by academic network ULAKNET‘s AS 8517, which had previously dropped off the April rankings.

Perpetual winner and still champion for spewing spam from Turkey is TTNET‘s AS 9121, accounting for almost 3/4 of all spam seen from Turkey seen by CBL. SpamRankings.net saw about the same proportion of Turkish spam coming from TTNET in data from PSBL.

-jsq

Stone Internet Services’ AS 39234 dropped like a rock in May 2012 SpamRankings.net

Some good news for Belgium! Stone Internet Services’ AS 39234 decreased spamming by 95% in May 2012, dropping from 8,212 on May Day to 321 on 28 May.

In the other direction, Brutele’s AS 12392 went from 2,220 on 3 May to 6,207 on 30 May, an increase of 279%.

And Uganda Telecom’s AS 21491 started up like a rocket at the end of the month, going from 1,046 on 26 May to 4,213 on 31 May, a 300% increase.

Now all these numbers are just samples by CBL, hints and whispers of the total amount of spam flying around the net. But when the curves move that fast, usually something is going on.

-jsq

CDM snowshoes to the top of the world in May 2012 SpamRankings.net

In addition to snowshoe spam taking 7 of the top 10 U.S. SpamRankings.net for May 2012, one of the snowshoe spamming companies, CDM, outspammed every other organization in the world! CDM’s AS 6428 outspammed even chronic world winner Vietnam PT.

In this graph, you can see CDM leap up from zero in March to 15.7 million spam messages in April and 48.8 million in May, and of course that’s just the messages caught by a few spamtraps.

The same spamtraps never saw more than 56 hosts sending all those messages. That was on 11 May 2012, when they saw 1,989,762 spam messages, for a ratio of 35,531 spam messages per sending host. That’s not exactly the old botnet low-and-slow technique. Snowshoe spam: it’s already in prime time!

And remember, CDM is not a hosting center: it’s an ISP. CDM continues to illustrate that snowshoe spam is no longer confined to the traditional profile of infesting hosting centers.

-jsq

Snowshoe took all top 7 in May U.S. CBL SpamRankings.net

Snowshoe appeared to have been the source for spam from all of the top seven spamming organizations in the May 2012 top 10 SpamRankings.net for the U.S. from CBL data. Only 3 were traditional ISPs (two cable companies, Comcast and Charter, plus Global Crossing). Snowshoe spam accounted for all but about 5% of spam from the U.S. top 10. And we already knew snowshoe is not just for hosting companies anymore.

At what point is snowshoe spam no longer a temporary black swan phenomenon, and becomes a prevailing trend?

-jsq

A few bad stones can darken an organization’s SpamRankings.net

Apparently a few infested computers can push a whole hosting service into the top 10 SpamRankings.net for its country. That’s bad, but on the other hand a few addresses should be easy to find and fix. If the infested organization wants to do so.

Take Stone Internet Services AS 39234 STONE-IS, which is the green line climbing to the top of the Belgium April 2012 rankings in the graph. On 30 April CBL caught more than 8,000 spam messages coming from STONE-IS, yet CBL only saw spam coming from a max of 3 STONE-IS IP addresses during that month. If those messages came evenly from each of those 3 addresses, that would be about 2,600 messages from each address, and more likely one of those addresses is the real culprit. Of course, that was almost certainly nowhere near all the spam that came from that ASN that month, and maybe not all the IP addresses sending them.

But compare to the number one source of spam from Belgium for Continue reading