Tag Archives: botnet

Darkmailer2 month in Canada December 2012 SpamRankings.net

December 2012 Canada SpamRankings.net from CBL data It’s apparently Darkmailer2 month in Canada. One company got a grip on it, and two got much worse, in the December 2012 SpamRankings.net for Canada Canada.

AS 7788 MAGMA-COMM, bought in 2004 by PRIMUS Telecommunications Group, peaked in the second week and then got a grip on its darkmailer2 spamming. AS 11342 PATHWAY really gave AS 32613 IWEB-AS a run for its money; both seem to have a darkmailer2 problem. Pathway went from 2,871 spam messages seen by CBL in November 2012 to 21,593,775 in December 2012: that’s 7,521 times. However, iWeb once again won the spam-spewing month in Canada!

Congratulations to the four dropouts, especially AS 16532 ASB2B2C, which Continue reading

Botnets behind the late-month upswings in Belgium in the September 2012 SpamRankings.net?

Congratulations to Belgacom, Mobistar, Uganda Uganda-Telecom and BASE Belgium for improving in the September 2012 SpamRankings.net for Belgium Belgium from CBL data! But what’s behind Brutele and Mobistar and Gateway getting worse at the end of the month? And what about Teledis, which is worse over the whole month, but better at the end?

For AS 12392 ASBRUTELE, the problem the whole month is Lethic botnet with a little Festi:

Continue reading

Festi in the rest of the top Turkish 7 SpamRankings.net 2012-08 CBL data

We’ve already looked at TTNET, which pushed Turkey Turkey to the top of the spamming world in July 2012, and KOCNET, ditto in August. What about other Turkish ASNs? The next five are AS 12735 ASTURKNET, AS 12978 DOGAN-ONLINE, AS 16135 TURKCELL, AS 29179 KIBRISONLINE-AS, and AS 8517 ULAKNET, in the August SpamRankings.net from both CBL and PSBL data. You guessed it: they’re all infested with Festi botnet, too.

Festi Turkish top 7-2 June-August 2012 SpamRankings.net CBL data

Festi Turkish top 7-2 June-August 2012 SpamRankings.net CBL data
Graph by John S. Quarterman for SpamRankings.net.

-jsq

Grum botnet is staging a comeback

Remember the apparently successful Grum botnet takedown? Well, Grum is staging a comeback. Sure, a few tens of thousands of spam messages in August 2012 doesn’t seem like much compared to the millions in Grum’s heyday in July 2012, yet those new numbers are clearly increasing.

July, August 2012 Grum botnet top 10 ASNs

Let’s compare the July 2012 Grum botnet top 10 ASNs to the August 2012 top 10. Still spewing spam from Grum in August were India’s AS 9829 BSNL-NIB – National Internet Backbone Korea’s AS 4766 KIXS-AS-KR – Korea Telecom and Vietnam’s AS 7643 VNPT-AS-VN – Vietnam Posts and Telecommunications (VNPT). Is there a pattern there? National government-sponsored Internet backbones don’t clean up their spam-spewing botnet act well?

Congratulations to those ASNs missing from the new top 10, which are

Continue reading

Festi botnet in July 2012 U.S. Medical SpamRankings.net from CBL

AS 122 U-PGH-NET-AS The curve that took University of Pittsburgh Medical Center‘s AS 122 U-PGH-NET-AS to number one in the July 2012 U.S. SpamRankings.net from CBL data is almost completely explained by Festi botnet, except for one day, plus the small curve at the beginning of the month was apparently caused by Grum botnet.

AS 17311 ECMC-BGP was infested with Festi (blue curve on the right) at the same time as AS 122, and AS 17311 earlier had a Cutwail botnet

Continue reading

Festi botnet infesting the world, July 2012

Autonomous Systems (ASes) infested with Festi botnet spammed more than any others worldwide, pushing whole new countries such as Saudi Arabia and Turkey into the top of the top 20 countries in the July SpamRankings.net, and pushing India to number 1 worldwide. . Here we look at the top 10 ASes infested by Festi.

Taking off like a rocket was SaidiNet's AS 25019 SAUDINETSTC-AS of Saudi Arabia. Rising almost as fast was National Internet Backbone's AS 9829 BSNL-NIB of India. Also on an upwards path was academic network AS 8386 KOCNET of Turkey.

Linear Top 10 ASNs with Festi botnet

Linear Top 10 ASNs with Festi botnet
Chart by John S. Quarterman for SpamRankings.net.

Maybe already peaked were AS 24560 AIRTELBROADBAND-AS-AP – Bharti Airtel Ltd. AS 9121 TTNET – TTnet AS AS 17813 MTNL-AP – Mahanagar Telephone Nigam Ltd. and AS 18101 RIL-IDC – Reliance Infocom Ltd Internet Data Centre

We will examine Festi more in later blog posts.

-jsq

Grum down, but… 1 June 2012 – 30 July 2012, SpamRankings.net

Here is the promised followup to our look at the Grum botnet takedown, in which we have good news and not so good news.

A week ago we didn’t see much effect. As we noted, that was possibly because the takedown took down the command and control nodes, presumably leaving the bots still spewing whatever spam campaign they had already queued up.

Well, apparently that campaign ran out, because they stopped spewing. Here is an updated graph of grum botnet and its top 10 ASNs:

Grum botnet and its top 10 ASNs

Grum botnet and its top 10 ASNs
Graph by John S. Quarterman for SpamRankings.net.

The updated Top 10 Botnets graph has good news and bad news:

Continue reading

Grum and other botnets, 1 June 2012 – 19 July 2012, SpamRankings.net

Apparently the grum botnet has been taken down, or at least its command and control structure. We don’t see a lot of change yet, but we’ll keep watching.

BBC News wrote today, Huge spam botnet Grum is taken out by security researchers: A botnet which experts believe sent out 18% of the world’s spam email has been shut down, a security firm said.

Security company FireEye and spam-tracking service SpamHaus worked with local internet service providers (ISPs) to shut down the illegal network….

“Grum’s takedown resulted from the efforts of many individuals,” wrote Atif Mushtaq, a security researcher with FireEye.

“This collaboration is sending a strong message to all the spammers: Stop sending us spam. We don’t need your cheap Viagra or fake Rolex.”

Well, let’s have a look. Here are the top 10 botnets for 1 June 2012 through today (GMT, i.e., really yesterday):

Top 10 Botnets

Dropouts on 26,27 June 2012 were due to software glitches on our end.
Graph by John S. Quarterman for SpamRankings.net from CBL data.

Grum is that blue-green line running near the bottom, showing about 1 to 2 million spam messages a day. Grum was the third spammiest botnet during that period (not counting n/a, which is spam detected without having to dig into what botnet it came from), so taking grum down is a big deal. However, we don’t really see Continue reading

Cleveland Clinic wins one way, then another, in SpamRankings.net

1(4)AS 22093 CCF-NETWORKUnited States US
2(-)AS 27609 USC-UNIVERSITY-HOSPITALUnited States US
3(1)AS 25611 NSLIJHSUnited States US
4(-)AS 19335 APRIA-HEALTHCAREUnited States US
5(2)AS 9208 WINBelgium BE
6(7)AS 122 U-PGH-NET-ASUnited States US
Cleveland Clinic took #1 in the May 2012 worldwide medical SpamRankings.net. So Cleveland Clinic’s AS 22093 won the worldwide medical rankings by spamming the most of any medical organization worldwide, as found in CBL blocklist data. Boo Cleveland Clinic!

Yet AS 22093 CCF-NETWORK dropped like a rock on 7 May 2012, going to zero the next day, and staying there. So Cleveland Clinic also was most improved for May 2012 medical organizations. Congratulations, Cleveland Clinic!

This feat of IT security cleanliness shouldn’t have been hard for CCF, since AS 22093 CCF-NETWORK seems to have had a Lethic problem, which CBL saw on no more than 3 hosts. Sure, there could have been more hosts infected than that, and CBL just might not have seen them all. But 3 is far smaller than what CBL sees for a typical botnet infection, so the number of infected hosts probably was quite small. Which means it should have been easy for CCF to find them all and fix them.

Hm, maybe being #4 last month gave CCF some incentive?

-jsq

Snowshoe spamming pushed the U.S. to #1 worldwide in March 2012 SpamRankings.net

Previously unseen Brinkster’s AS 33055 BCC-65-182-96-0-PHX took first place. AS 10439 CARINET leapt from #8 last month to #4 for March for the U.S., and was up to second place at the end of the month. Six ASNs joined the U.S. top 10: were they all due to snowshoe spam, too? Brinkster was so bad it made #8 on the world top 10!

Last month’s winner AS 21788 NOC finally cleaned up its act a bit, dropping from #1 to #5. Six ASNs dropped out of the top 10. Four of them (Webhost-ASN-1, LIMESTONENETWORKS, PEER1, and ATMLINK) popped to the top 10 last month due to snowshoe spam. The other two (NTT and Charter’s ASNs) didn’t even have to spam less to drop out, because this month’s top 10 had so much more spam.

But the US ASNs that got worse pushed the U.S. to #1 spamming country. The slope of that U.S. world top 10 curve for the last dozen days of March looks just like the Brinkster and CARINET ASN curves in the U.S. top 10. Very impressive, to drive the whole country into the countries top 10!

-jsq