Hello Sniffer Folks,

I had been wondering why the blackhats had been pushing so hard for
new bots these last few weeks.

Then the other day I saw something very strange in the SNF telemetry.
A storm came in that seemed to stop all other traffic. For more than
an hour I really thought something was broken -- but I wasn't sure I'd
really seen it.

Just a short time ago our SortMonster on duty (Mitchell "Skull")
called all-hands for a new spam storm. This was another of the new
penis spams.

We coded the rules quickly and as they went out I saw it again:

T rates fell to zero on many systems and close to that on all of the
others. This means that virtually all of the IPs were brand-new. At
the same time traffic spiked on all systems and capture rates went
off-scale high as the new rules tagged virtually every message.

This is not an entirely new tactic by the blackhats-- I've talked
about it before. It is essentially a high-amplitude burst - where a
new campaign is pre-tested against all known filters and then launched
on a large number of new bots that are unknown to IP reputation

What is new is the purity of these recent events. When we've seen them
before they were mixed in with a lot of other traffic from other bot
nets and even other campaigns from the same bot net. While there was
still a trickle of this activity, the purity of this burst was

This was a stampede where essentially all visible bots started running
in a single new direction.

T rates have recovered now by and large -- so the new bots are already
largely recognized by GBUdb, but the wild swing in telemetry across
the network was amazing to watch -- as is the new telemetry showing
dramatically increased traffic and capture rates indicating a nearly
pure stream of spam from this new "herd".

Theories, comments, and observations welcome.



Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.

This message is sent to you because you are subscribed to
  the mailing list <sniffer@sortmonster.com>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Reply via email to