Category Archives: IT Securiiy

Spam worming up rapidly –McAfee

Email and spam volume McAfee PR of today, McAfee Quarterly Threat Report Sees Social Media Worm Resurgence as Spam Rises Dramatically: Targeted Attacks Continue Rise; “Pump and Dump” Returns with Record Stock Market Highs

McAfee Labs today released the McAfee Threats Report: First Quarter 2013, which reported a significant spike in instances of the Koobface social networking worm and a dramatic increase in spam. McAfee Labs also saw continued increases in the number and complexity of targeted threats, including information-gathering Trojans and threats targeting systems’ master boot records (MBRs).

McAfee Labs found almost three times as many samples of Koobface as were seen in Continue reading

Almost… FortressITX zero spam for one day then up in

AS 25653 FortressITX went to zero for one day, 15 May, in the May 2012  U.S., but bounded back up to more than 294,000 spam messages a day a week later, placing #6 for the month as a whole.

This was the second time FortressITX made the U.S. top 10. It had been #9 in March, but had dropped out of the April 2012 U.S. rankings. And yes, it’s snowshoe spam. That ASN does show a few other problems, also not botnets.


Cleveland Clinic wins one way, then another, in

1(4)AS 22093 CCF-NETWORKUnited States US
3(1)AS 25611 NSLIJHSUnited States US
4(-)AS 19335 APRIA-HEALTHCAREUnited States US
5(2)AS 9208 WINBelgium BE
6(7)AS 122 U-PGH-NET-ASUnited States US
Cleveland Clinic took #1 in the May 2012 worldwide medical So Cleveland Clinic’s AS 22093 won the worldwide medical rankings by spamming the most of any medical organization worldwide, as found in CBL blocklist data. Boo Cleveland Clinic!

Yet AS 22093 CCF-NETWORK dropped like a rock on 7 May 2012, going to zero the next day, and staying there. So Cleveland Clinic also was most improved for May 2012 medical organizations. Congratulations, Cleveland Clinic!

This feat of IT security cleanliness shouldn’t have been hard for CCF, since AS 22093 CCF-NETWORK seems to have had a Lethic problem, which CBL saw on no more than 3 hosts. Sure, there could have been more hosts infected than that, and CBL just might not have seen them all. But 3 is far smaller than what CBL sees for a typical botnet infection, so the number of infected hosts probably was quite small. Which means it should have been easy for CCF to find them all and fix them.

Hm, maybe being #4 last month gave CCF some incentive?


Canada, land of spam plateaus on

Snowshoe spam took #1 in Canada again, through AS 32613 IWEB-AS, on the May 2012 That was the first week of a spam plateau per ASN. The next week saw a platau for AS 33139 CANACA-210. And the next week it was AS 6407 PRIMUS. Canada, land of spam plateaus! Does this mean spammers are shifting from ASN to ASN for successive weeks of spam campaigns?

The old-time winners, AS 6327 SHAW and AS 577 BACOM, kept spamming away, and came in #2 and #6 again. That’s in the rankings from CBL data. In rankings from PSBL data, IWEB, SHAW, and BACOM were #1, #2, and #3.

We actually saw less spam in May (CBL data) from Bell Canada’s BACOM than for any month since March 2011, the first month of rankings for Congratulations Bell Canada!

The rest of the top six were upstarts, not much seen until recently. Iweb did make a bid for the top back in September 2011, but its recent predominance dates only from February of this year.


SuperOnline dropped off May 2012 Turkey top 10

Congratulations to Turkcell SuperOnline‘s AS 34104 GLOBAL 64,658 for dropping off of the top 10 spamming ASN’s for Turkey in the May 2012!

It was replaced in the Turkish top 10 by academic network ULAKNET‘s AS 8517, which had previously dropped off the April rankings.

Perpetual winner and still champion for spewing spam from Turkey is TTNET‘s AS 9121, accounting for almost 3/4 of all spam seen from Turkey seen by CBL. saw about the same proportion of Turkish spam coming from TTNET in data from PSBL.


What other ASNs were affected by botnet Ogee in February 2012?

Previously we determined that nine ASNs that showed spam surges in the U.S. and Canadian top 10 for February 2012 were infested by the botnet Ogee and that spam came from that botnet. What other ASNs were affected by Ogee in the same time period?

Let’s look at the top 10 ASNs infested by Ogee according to spam volume for 1 Feb 2012 to 12 Mar 2012:

Left Axis: Total Ogee volume (spam messages);
Right Axis: top 10 Ogee ASN volume (dotted curves)

It looks like Ogee is a new botnet, since all these top 10 ASNs came up from zero volume before 18 February 2012. The biggest initial peak in this graph is from AS 21788 NOC, #1 in the U.S. February top 10, and the biggest late surge is from AS 10439 CARINET, #8 in that same ranking. Right below CARINET is AS 32613 IWEB-AS, Canadian February #1. The rest of the 8 Ogee-infested from the U.S. top 10 previously described also are in there, except AS 7796 ATMLINK and AS 13768 PEER1.

New here are these three: Continue reading

Did the February 2012 spam surge come from one botnet? saw
AS 21788NOC
AS 33055BCC-65-182-96-0-PHX
AS 15149EZZI-101-BGP
AS 13768PEER1
a huge surge in spam from some U.S. ASNs, mostly from ones that hadn’t even been in the top 10 before, with possible correlations in one ASN each from Peru and Canada. Did all this spam come from the same botnet?

Maybe not all, but most. Eight out of the U.S. top 10 for February show very close correlation with one botnet, Ogee. They are listed in the table on the right and shown in the chart below:

Left Axis: ASN volume (spam messages); Right Axis: Botnet volume (dotted curves)

The chart also shows some ASNs reacted quickly and stopped the spamming, while others got worse. It’s a busy chart, so let’s look at simpler charts for one example each of resilient and susceptible ASNs.

AS 21788 NOC was one of the first and worst affected by this spam surge: Continue reading

Big U.S. Spam Spike in February 2012

What could push the U.S. from 13 to 2 in worldwide, and way up to number one for the last week of February 2012?

In the U.S. rankings by ASN, seven out of ten are new, and NOC number 1 came up from number 9. Something pretty bad is going on. So bad Comcast didn’t place in the top 10 at all, for the first time in recent memory!

NOC has had this problem before, in July and November 2011, but never with this amount of spam volume. And this time many other ASNs show the same pattern.

The same issue may be in the Canadian rankings as well: AS 32613 IWEB-AS jumped from 8 to 1 for the month, with almost all the increase in the same last week of the month as for the U.S. problem ASNs.

There was even a similar curve in the World rankings, for Telefonica del Peru’s AS 6147 SAA.

Our next step is to drill down to see if these ASNs were infected by the same botnet. We did that for the medical ASNs last month, but this is a much bigger spam event this month.


Davos discovers cyber attacks

Cyber attacks made the Davos Top 5 Global Risks in Terms of Likelihood. Davos, the annual conclave of the hyper-rich and famously elected, has also discovered Severe income disparity and Water supply crisis, so maybe they’re becoming more realistic.

However, in Figure 17 on page 25 they’ve got Cyber attacks as an origin risk, along with Massive incident of data fraud or theft and Massive digital misinformation. I think they’re missing the point, which is the real origin risk is poor infosec, and the origin of that is vendors like MSFT knowingly shipping systems with design flaws and people and organizations running them while hiding such problems.

Interesting comment on page 26: Continue reading

Is January’s medical spam caused by botnets?

Remember those three spamming medical organizations PSBL saw and the spike from CSHS that found in CBL data? Digging into the underlying data, and graphing them all on the same chart, we see this:

Even though the three three-digit-spamming medicos spam oddly coherently, we don’t find any botnets for them. This may be because most of that spam was seen by PSBL, and our botnet assignments come from CBL. CBL didn’t see any spam from those ASNs, so it didn’t have anything to assign for botnets. Maybe they’re infested by the same botnet; maybe not; can’t tell.

But it was CBL that saw that big spam spike for AS 22328 CSHS. And CBL did assign a botnet to that: Lethic. For all but two days of CSHS spam shown, CBL assigned Lethic to the total amount of spam from CSHS for that day. That may be because all that CSHS spam is coming from a single computer.

Of course, CBL’s botnet assignments are not perfect, but infosec professionals tell me CBL is about as good as it gets for that, so there’s a good chance this botnet assignment is correct.

The good news is that all of the trio of three-digit spamming medicos decreased their spam and even went to zero during the period shown.

And CSHS spam peaked at the end of January and started back down in February.

Pretty soon there may be once again little or no spam from medical organizations to rank.