Tag Archives: botnet

Did snowshoe spamming cause the big February spam surge?

It turns out the source of the big spam surge that rocketed eight ASNs

Rank
(Previous)		 ASN
1 (9) AS 21788 NOC
2 (-) AS 27229 WEBHOST-ASN1
3 (-) AS 46475 LIMESTONENETWORKS
4 (-) AS 33055 BCC-65-182-96-0-PHX
6 (5) AS 15149 EZZI-101-BGP
7 (-) AS 13768 PEER1
8 (-) AS 10439 CARINET
9 (-) AS 7796 ATMLINK
to the top of the U.S. February 2012 SpamRankings.net was not a botnet: it was apparently snowshoe spamming. Here are the most-affected eight U.S. ASNs again, with their rankings for February, listed in the table on the right.

So, Ogee is not a botnet; it is a collection of IP addresses apparently involved in snowshoe spam. It’s also not new. Ogee is just a specific set of snowshoe addresses. But what is snowshoe spam?

Paul Roberts wrote for ThreatPost 6 October 2011, Expert: Eight Years Later, ‘Snowshoe Spam’ Suggests CAN SPAM Not Working,

Brett Cove, a researcher for anti malware firm Sophos, told attendees at the annual Virus Bulletin Conference on Thursday that so-called “snowshoe spam” is becoming a bigger problem, even as spam e-mail volumes associated with botnets are receding. Snowshoe spam is responsible for the bulk of spam messages that make it past anti spam filters at U.S. firms, even as bulk senders avoid prosecution by adhering to the letter of the U.S. CAN SPAM anti-spamming law.

Snowshoe spam isn’t a new problem. In fact, within anti spam circles, researchers have been talking about the phenomenon for years. The term “snowshoe” spam comes from the tactic of spreading the load of spam runs across a wide range of IP addresses as a way to avoid detection by anti spam filters, in the same way that snowshoes spread the weight of their wearer across a wide area to avoid breaking through snow and ice.

Anti spam filters are typically programmed to allow only a small volume of identical e-mail messages from the same IP address range, Cove told Threatpost. Snowshoe spam is able to avoid—or postpone—the filters by sending mail from a range of addresses, often leased by the bulk mail senders, he said.

That may sound a lot like low-and-slow botnet spamming, but there are five key differences:

Continue reading

What other ASNs were affected by botnet Ogee in February 2012?

Previously we determined that nine ASNs that showed spam surges in the U.S. and Canadian top 10 SpamRankings.net for February 2012 were infested by the botnet Ogee and that spam came from that botnet. What other ASNs were affected by Ogee in the same time period?

Let’s look at the top 10 ASNs infested by Ogee according to spam volume for 1 Feb 2012 to 12 Mar 2012:


Left Axis: Total Ogee volume (spam messages);
Right Axis: top 10 Ogee ASN volume (dotted curves)

It looks like Ogee is a new botnet, since all these top 10 ASNs came up from zero volume before 18 February 2012. The biggest initial peak in this graph is from AS 21788 NOC, #1 in the U.S. February top 10, and the biggest late surge is from AS 10439 CARINET, #8 in that same ranking. Right below CARINET is AS 32613 IWEB-AS, Canadian February #1. The rest of the 8 Ogee-infested from the U.S. top 10 previously described also are in there, except AS 7796 ATMLINK and AS 13768 PEER1.

New here are these three: Continue reading

Did the February 2012 spam surge come from one botnet?

SpamRankings.net saw
AS 21788NOC
AS 27229WEBHOST-ASN1
AS 46475LIMESTONENETWORKS
AS 33055BCC-65-182-96-0-PHX
AS 15149EZZI-101-BGP
AS 13768PEER1
AS 10439CARINET
AS 7796ATMLINK
a huge surge in spam from some U.S. ASNs, mostly from ones that hadn’t even been in the top 10 before, with possible correlations in one ASN each from Peru and Canada. Did all this spam come from the same botnet?

Maybe not all, but most. Eight out of the U.S. top 10 for February show very close correlation with one botnet, Ogee. They are listed in the table on the right and shown in the chart below:


Left Axis: ASN volume (spam messages); Right Axis: Botnet volume (dotted curves)

The chart also shows some ASNs reacted quickly and stopped the spamming, while others got worse. It’s a busy chart, so let’s look at simpler charts for one example each of resilient and susceptible ASNs.

AS 21788 NOC was one of the first and worst affected by this spam surge: Continue reading

Big U.S. Spam Spike in February 2012 SpamRankings.net

What could push the U.S. from 13 to 2 in worldwide SpamRankings.net, and way up to number one for the last week of February 2012?

In the U.S. rankings by ASN, seven out of ten are new, and NOC number 1 came up from number 9. Something pretty bad is going on. So bad Comcast didn’t place in the top 10 at all, for the first time in recent memory!

NOC has had this problem before, in July and November 2011, but never with this amount of spam volume. And this time many other ASNs show the same pattern.

The same issue may be in the Canadian rankings as well: AS 32613 IWEB-AS jumped from 8 to 1 for the month, with almost all the increase in the same last week of the month as for the U.S. problem ASNs.

There was even a similar curve in the World rankings, for Telefonica del Peru’s AS 6147 SAA.

Our next step is to drill down to see if these ASNs were infected by the same botnet. We did that for the medical ASNs last month, but this is a much bigger spam event this month.

-jsq

Is January’s medical spam caused by botnets?

Remember those three spamming medical organizations PSBL saw and the spike from CSHS that SpamRankings.net found in CBL data? Digging into the underlying data, and graphing them all on the same chart, we see this:

Even though the three three-digit-spamming medicos spam oddly coherently, we don’t find any botnets for them. This may be because most of that spam was seen by PSBL, and our botnet assignments come from CBL. CBL didn’t see any spam from those ASNs, so it didn’t have anything to assign for botnets. Maybe they’re infested by the same botnet; maybe not; can’t tell.

But it was CBL that saw that big spam spike for AS 22328 CSHS. And CBL did assign a botnet to that: Lethic. For all but two days of CSHS spam shown, CBL assigned Lethic to the total amount of spam from CSHS for that day. That may be because all that CSHS spam is coming from a single computer.

Of course, CBL’s botnet assignments are not perfect, but infosec professionals tell me CBL is about as good as it gets for that, so there’s a good chance this botnet assignment is correct.

The good news is that all of the trio of three-digit spamming medicos decreased their spam and even went to zero during the period shown.

And CSHS spam peaked at the end of January and started back down in February.

Pretty soon there may be once again little or no spam from medical organizations to rank.

-jsq

CSHS is back in January 2012 SpamRankings.net

In SpamRankings.net, January PSBL data reveals three three-digit U.S. medical spamming organizations, plus CSHS, and CBL data confirms a big spam spike from CSHS.

The three with more than 100 spam messages for the month were

each accounting for about a third of the total spam volume seen from medical organizations by CBL in January 2012.

Cedars-Sinai Health Systems‘ AS 22328 CSHS came in only seventh in PSBL data, with only 10 spam messages. But in CBL data, CSHS came in first, with 2,873 messages. That’s not a lot, compared to, for example, Comcast, which CBL saw spamming more than two million messages during the same month. But what patients would prefer to see from medical organizations is zero spam messages, since spam is a sneeze for infosec disease, and who wants to think their hospital’s information security or radiology computers might be infected?

Chances are CSHS will notice and clean it up pretty quick. Those other three medical orgs may have some sort of more chronic problem….

-jsq

Global Crossing spam spike, November 2011

In the November SpamRankings.net from PSBL data, Global Crossing’s AS 3549 GBLX spiked on 17 November and a few days before, pushing it into fifth place.

Did this spam spike come from any particular botnet?


AS 3549 GBLX PSBL spam volume left axis, CBL botnet volume right axis
It looks like GBLX is infested with many botnets, but the spike on 17 Nov roughly corresponds with a cutwail botnet volume peak on 16 Nov. Given that the ASN volume spike is from PSBL data and the botnet volume peak is from CBL data, a day off is plausible, due to different collection and delivery times.

There’s also a peak for grum (green line near the bottom) on 17 Nov, and peaks for festi and n/a on 18 Nov, where n/a is CBL’s marker for spam they detected without having to look as far as determining which botnet they think sent it.

So the spam spike could be from cutwail. Or it could be because of a coincidence of several botnet peaks. Or it could be some other botnet that happened to do a spam campaign on that day. Given that the PSBL GBLX peak builds up on 16 Nov, I’d guess it came mostly from cutwail.

We could try to resolve this question by digging into the specific addresses the GBLX spam PSBL saw came from and see if they match addresses CBL assigned to botnets.

-jsq

How to leverage botnet takedowns

What is to be done when botnet takedowns don’t produce lasting benefits?

At the Telecommunications Policy and Research Conference in Arlington, VA in September, I gave a paper about Rustock Botnet and ASNs. Most of the paper is about effects of a specific takedown (March 2011) and a specific slowdown (December 2010) on specific botnets (Rustock, Lethic, Maazben, etc.) and specific ASNs (Korea Telecom’s AS 4766, India’s National Internet Backbone’s AS 9829, and many others).

The detailed drilldowns also motivate a higher level policy discussion.

Knock one down, two more pop up: Whack-a-mole is fun, but not a solution. Need many more takedowns, oor many more organizations playing. How do we get orgs to do that? …
There is extensive theoretical literature that indicates Continue reading

“botnet herders can add it to its spam-spewing botnet” —Fahmida Y. Rashid in eWeek.com

This reporter spits out a string of alliterative language that labels the problem that SpamRankings.net helps diagnose.

Fahmida Y. Rashid wrote in eWeek.com 8 June 2011, UT Researchers Launch SpamRankings to Flag Hospitals Hijacked by Spammers:

“Poor security measures are generally responsible for employee workstations getting compromised, either by spam or malicious Web content. Once the machine is compromised, the botnet herders can add it to its spam-spewing botnet to send out malware to even more people. The original employee or the organization rarely has any idea the machine has been hijacked for this purpose.”
That’s a pretty good explanation for why outbound spam is a proxy for poor infosec.

-jsq

3FN + FTC = Some Less Spam From Some ASNs

A research project I’m assisting at the University of Texas at Austin notes that:
On Tuesday 2 June 2009, the U.S. Federal Trade Commission (FTC) took legal steps that shut down the web hosting provider Triple Fiber network (3FN.net).
2009-06-01--cbl-2.png

Looking at Autonomous Systems (ASNs) listed in the spam blocklist CBL, Continue reading