Tag Archives: Maazben

Turkey and Kelihos botnet rampage, October 2012 SpamRankings.net

Turkey Turkey, like Belgium, Canada, U.S., and the world, has a Kelihos rampage problem in October 2012 Turkey SpamRankings.net from CBL data SpamRankings.net from CBL data for October 2012.

New Turkish #1 spammer AS 44565 VITAL TEKNOLOJI shows all the signs: rapidly increasing spamming and both Maazben and Kelihos botnets.


The other new Turkish top 10 ASNs, AS 42868 NIOBE AS 44922 MEDYABIM-AS, AS 12599 ATLAS-AS AS 49632 DATATELEKOM and AS 12987 OMURGA, all show lesser but still distinctive signs of the Kelihos rampage, namely Maazben botnet plus other unknown botnets. They all also only surged for a week or two, while Vital continued upwards.


Belgium has a Kelihos problem in October 2012 SpamRankings.net

Belgium Belgium has a Kelihos problem in October 2012 Belgium SpamRankings.net from CBL data October 2012 Belgium SpamRankings.net from CBL data from CBL data for October 2012. #1 Mobistar’s AS 12493 and #2 Telenet’s AS 6848 were spewing spam from Kelihos, pushing all the other ASNs down the rankings. Kelihos rampage: it’s not just for north America!

Belgium top botnets October 2012 SpamRankings.net

A few other botnets have a bit of Kelihos, but only the top 2 for Belgium are part of the Kelihos rampage. (Newcomer AS 9031 EDPNET has a Cutwail problem.)


Canada and Kelihos in October 2012 SpamRankings.net

The Canada Canadian top 10 were half the same as last month and half due to Kelihos October 2012 Canada SpamRankings.net from CBL data in the SpamRankings.net from CBL data for October 2012. Canadian #1 iWeb (CBL; #10 PSBL) made it into the world CBL top 10 because of Kelihos. The rankings from PSBL data October 2012 Canada SpamRankings.net from PSBL data were much closer to the CBL ones for Canada than was the case for the U.S. or for the world.

In this logarithmic chart you can see #3 AS 6327 SHAW, #7 AS 577 BACOM, #9 AS 855 CANET-ASN-4, and #10 AS 6407 PRIMUS-AS6407, the only Canadian ASNs that improved their CBL rank for October, going almost straight across the middle, decreasing towards the end of the month.

top 10 logarithmic Canada October 2012 CBL SpamRankings.net

Three of those relatively static four also were infested with Kelihos. (The fourth, AS 6407 Primus, had a Lethic problem.)

Static 4 Canada October 2012 CBL SpamRankings.net

While 25,000 spam messages a day, as seen by CBL for AS 6327 Shaw, is quite a sneeze, it’s not much Continue reading

Kelihos and Maazben botnets in U.S. October 2012 SpamRankings.net

We’ve seen that botnets Kelihos and Maazben account for most of the spam seen from the entirely-new worldwide top 10 in the October 2012 Kelihos rampage. What about a specific country? The October 2012 U.S. SpamRankings.net from CBL data U.S. top 10 SpamRankings.net are also entirely new (since last month): are all those U.S. ASNs ranked like that because of the Kelihos rampage? Two clues indicate yes: the shapes of the U.S. curves are very similar to those of the worldwide rankings, and the U.S. top 3 are in the worldwide top 10. But what about the rest of the U.S. top 10? Let’s drill down to botnets in U.S. October 2012 SpamRankings.net from CBL data:

Botnets in U.S. October 2012 SpamRankings.net from CBL data

We can see 9 out of the U.S. top 10 are there mostly because of Maazben or Kelihos, often alternating for the same ASN, in the same pattern as for the worldwide top 10. So yes, 9 are in the U.S. top 10 because of the Kelihos rampage.

The one exception is Continue reading

Kelihos and Maazben botnets in October 2012 SpamRankings.net

Let's look at the botnets associated with the Kelihos rampage in the October 2012 SpamRankings.net. Two botnets turn up the most Maazben and Kelihos. Why call it the Kelihos rampage, then?

World Top 10 and botnets

Because CBL's detection of each botnet depends on numerous continually-evolving heuristics, and in this case the same one is being triggered for both Maazen and Kelihos, and CBL thinks that particular heuristic is more characteristic of Kelihos.

The pattern is easier to see if we look at a single ASN's botnets, such as #1 ranked AS 16276 OVH Systems:

Continue reading

Botnets behind the late-month upswings in Belgium in the September 2012 SpamRankings.net?

Congratulations to Belgacom, Mobistar, Uganda Uganda-Telecom and BASE Belgium for improving in the September 2012 SpamRankings.net for Belgium Belgium from CBL data! But what’s behind Brutele and Mobistar and Gateway getting worse at the end of the month? And what about Teledis, which is worse over the whole month, but better at the end?

For AS 12392 ASBRUTELE, the problem the whole month is Lethic botnet with a little Festi:

Continue reading

TTNET ejected Festi but still infested with Lethic and other botnets 2012-07,2012-08

Congratulations to Turkey's TTNET's AS 9121 for getting Festi botnet spam down from more than a million messages a day to less than 100,000!


However, Festi is still in there, and TTNET has other problems, as well, including Lethic, Cutwail, Waledac, Maazben, and even Grum(!) botnets, plus Sendsafe.

Continue reading

How to leverage botnet takedowns

What is to be done when botnet takedowns don’t produce lasting benefits?

At the Telecommunications Policy and Research Conference in Arlington, VA in September, I gave a paper about Rustock Botnet and ASNs. Most of the paper is about effects of a specific takedown (March 2011) and a specific slowdown (December 2010) on specific botnets (Rustock, Lethic, Maazben, etc.) and specific ASNs (Korea Telecom’s AS 4766, India’s National Internet Backbone’s AS 9829, and many others).

The detailed drilldowns also motivate a higher level policy discussion.

Knock one down, two more pop up: Whack-a-mole is fun, but not a solution. Need many more takedowns, oor many more organizations playing. How do we get orgs to do that? …
There is extensive theoretical literature that indicates Continue reading