The following article was originally published by The Spamhaus Project, October 2018.
After somewhat of a ‘lull’ in botnet activity over the past year there has been a significant upswing in the number of listings on the Spamhaus Exploits Block List (XBL). The past few weeks have seen a lift from approximately 10 million to 16 million listings. The obvious question to be asking is why? The Spamhaus Project’s botnet specialist explains:
What is the XBL?
The XBL is Spamhaus’s block list which lists IP addresses that host bots and malware-infected computers.
Why the huge upswing in listings?
Approximately half of this increase is due to a new spambot sending out vast quantities of spam for Chinese porn web sites. We believe that this may be due to proxy software, popular in China, having a security issue. Meanwhile the rest is from the rising number of IP addresses that are being reported as infected with the Avalanche/Gamarue botnet.
For those of you with knowledge of the botnet landscape you’re probably thinking “But the Avalanche botnet was taken down?” You are indeed correct, however the machines infected by Avalanche are still out there spreading the infection to new machines. The difference being now is that these machines can no longer be controlled by the current set of bad guys. But, it’s worth noting that these machines are still insecure and open to abuse by other spammers.
When will these bots die out?
Even if all the botnet gangs were taken down the malware they created would continue to spread without their controller. This is a spectre we’re going to have to live with for a long time. The Conficker bot is still out there, and its control network died years ago!
What about the new spambot?
There’s one last question: what (or who) is responsible for sending the copious quantities of Chinese porn-related spam? To date the research team at the Project don’t have an answer, but we’ll let you know as soon as they find out more.
(The original article can be viewed here.)