Custom Search

Thursday, December 31, 2009

Botnet Statistics [2009-12-30]

detection period: 2009-12-30 00:00-23:59 UTC
total number of suspected botnet IPs: 4363
number of botnet IPs notified to network operators: 3884

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET1272
2BSNLNET544
3CHINANET-GD468
4TFN-NET151
5002.558.157/0001-62112
6AR-TEAR7-LACNIC108
7TATACOMM-IN85
8RCOM80
9002.558.134/0001-5880
10002.449.992/0001-6465

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan1438
2China867
3India814
4Brazil401
5Argentina177
6Russian Federation116
7United States93
8Ukraine33
9South Korea32
10Ethiopia26

Wednesday, December 30, 2009

Botnet Statistics [2009-12-29]

detection period: 2009-12-29 00:00-23:59 UTC
total number of suspected botnet IPs: 4489
number of botnet IPs notified to network operators: 4056

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET1341
2BSNLNET572
3TFN-NET404
4CHINANET-GD338
5002.558.157/0001-62125
6AR-TEAR7-LACNIC106
7RCOM77
8002.558.134/0001-5875
9TATACOMM-IN67
10002.449.992/0001-6454

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan1761
2India829
3China710
4Brazil410
5Argentina179
6Russian Federation99
7United States87
8South Korea36
9Ukraine29
10United Kingdom26

Tuesday, December 29, 2009

Botnet Statistics [2009-12-28]

My notification mail are sent from an email account of a well-known service company. My notifications have been mistaken for spam mail by them several times, as I have to include spam headers in the mail, as requested by various network operators. I have also hit my daily mail sending quota occasionally. Today it happened again. I decided to make a few modification to my mail notice. Only the first 15 relay attempts from each IP will be included. And network operators with less than 2 detected bots will not get notified.

detection period: 2009-12-28 00:00-23:59 UTC
total number of suspected botnet IPs: 4219
number of botnet IPs notified to network operators: 3716

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET1232
2BSNLNET428
3CHINANET-GD369
4TFN-NET189
5002.558.157/0001-62131
6AR-TEAR7-LACNIC94
7RCOM82
8TATACOMM-IN76
9002.558.134/0001-5870
10UNICOM-SD59

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan1438
2China986
3India687
4Brazil421
5Argentina161
6Russian Federation98
7United States64
8Ukraine29
9South Korea24
10Indonesia21

Monday, December 28, 2009

Botnet Statistics [2009-12-27]

detection period: 2009-12-27 00:00-23:59 UTC
total number of suspected botnet IPs: 2876
number of botnet IPs notified to network operators: 2716

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET1241
2CHINANET-GD365
3TFN-NET142
4BSNLNET102
5AR-TEAR7-LACNIC61
6002.558.157/0001-6255
7UNICOM-SD43
8002.558.134/0001-5841
9CHINANET-ZJ-WZ30
10000.065.376/0002-6520

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan1392
2China654
3Brazil194
4India154
5Argentina114
6Russian Federation61
7United States57
8Poland18
9Colombia17
10Ukraine16

Sunday, December 27, 2009

Botnet Statistics [2009-12-26]

detection period: 2009-12-26 00:00-23:59 UTC
total number of suspected botnet IPs: 2864
number of botnet IPs notified to network operators: 2682

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET1241
2BSNLNET273
3CHINANET-GD115
4TFN-NET108
5002.558.157/0001-6261
6TATACOMM-IN57
7AR-TEAR7-LACNIC53
8RCOM47
9UNICOM-SD39
10002.558.134/0001-5833

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan1362
2China458
3India424
4Brazil194
5Argentina108
6Russian Federation55
7United States28
8Ukraine28
9South Korea17
10Thailand15

Saturday, December 26, 2009

Botnet Statistics [2009-12-25]

detection period: 2009-12-25 00:00-23:59 UTC
total number of suspected botnet IPs: 1905
number of botnet IPs notified to network operators: 1716

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1BSNLNET239
2CHINANET-GD219
3HINET-NET195
4TFN-NET112
5AR-TEAR7-LACNIC67
6UNICOM-SD53
7002.558.157/0001-6245
8RCOM44
9TATACOMM-IN38
10002.558.134/0001-5829

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1China584
2India364
3Taiwan320
4Brazil156
5Argentina106
6Russian Federation76
7United States42
8Ukraine34
9Ethiopia18
10South Korea17

Friday, December 25, 2009

Botnet Statistics [2009-12-24]

detection period: 2009-12-24 00:00-23:59 UTC
total number of suspected botnet IPs: 3337
number of botnet IPs notified to network operators: 3104

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET1223
2BSNLNET386
3CHINANET-GD279
4002.558.157/0001-6281
5AR-TEAR7-LACNIC77
6TFN-NET68
7RCOM59
8002.558.134/0001-5847
9TATACOMM-IN44
10UNICOM-SD41

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan1339
2China587
3India577
4Brazil263
5Argentina123
6Russian Federation99
7United States41
8Ukraine34
9Ethiopia31
10South Korea23

Thursday, December 24, 2009

Botnet Statistics [2009-12-23]

detection period: 2009-12-23 00:00-23:59 UTC
total number of suspected botnet IPs: 2477
number of botnet IPs notified to network operators: 2240

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET347
2BSNLNET337
3APOL-NET158
4CHINANET-GD151
5002.558.157/0001-6293
6AR-TEAR7-LACNIC90
7TFN-NET79
8002.558.134/0001-5860
9RCOM56
10TATACOMM-IN54

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan595
2India521
3China492
4Brazil318
5Argentina144
6Russian Federation87
7Ukraine32
8Colombia22
9South Korea21
10Ethiopia19

Wednesday, December 23, 2009

Botnet Statistics [2009-12-22]

detection period: 2009-12-22 00:00-23:59 UTC
total number of suspected botnet IPs: 3796
number of botnet IPs notified to network operators: 3546

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET987
2BSNLNET460
3TFN-NET423
4APOL-NET333
5CHINANET-GD119
6002.558.157/0001-62113
7AR-TEAR7-LACNIC89
8RCOM63
9002.558.134/0001-5854
10TATACOMM-IN49

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan1750
2India658
3China442
4Brazil357
5Argentina146
6Russian Federation100
7Ukraine27
8South Korea24
9Colombia24
10Ethiopia23

Tuesday, December 22, 2009

Botnet Statistics [2009-12-21]

detection period: 2009-12-21 00:00-23:59 UTC
total number of suspected botnet IPs: 3660
number of botnet IPs notified to network operators: 3384

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET1074
2BSNLNET391
3APOL-NET227
4TFN-NET208
5CHINANET-GD188
6002.558.157/0001-62132
7AR-TEAR7-LACNIC94
8TATACOMM-IN53
9002.558.134/0001-5852
10RCOM49

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan1517
2India576
3China522
4Brazil389
5Argentina153
6Russian Federation113
7Ukraine31
8United States23
9Thailand23
10Colombia23

Monday, December 21, 2009

Botnet Statistics [2009-12-20]

detection period: 2009-12-20 00:00-23:59 UTC
total number of suspected botnet IPs: 2856
number of botnet IPs notified to network operators: 2664

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET1124
2APOL-NET189
3CHINANET-GD155
4BSNLNET149
5TFN-NET97
6AR-TEAR7-LACNIC82
7002.558.157/0001-6269
8UNICOM-SD38
9RCOM28
10002.558.134/0001-5827

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan1417
2China453
3India227
4Brazil222
5Argentina136
6Russian Federation80
7United States26
8South Korea25
9Poland24
10Ukraine23

Sunday, December 20, 2009

Botnet Statistics [2009-12-19]

After I utilize the data collected on the new detection system, the number of detected bots rose suddenly, and then took a sharp downfall. Now network operators seems to respond very fast upon my notifications. It is very good that my system seems to work, but I was wondering, is its own effectiveness going to drive itself into extinction, just like the (now gone) ORDB (Open Relay DataBase)?

detection period: 2009-12-19 00:00-23:59 UTC
total number of suspected botnet IPs: 2974
number of botnet IPs notified to network operators: 2768

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET1172
2BSNLNET341
3AR-TEAR7-LACNIC99
4CHINANET-GD94
5002.558.157/0001-6273
6RCOM70
7TATACOMM-IN54
8TFN-NET48
9UNICOM-SD43
10APOL-NET42

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan1267
2India527
3China388
4Brazil259
5Argentina154
6Russian Federation62
7South Korea28
8United States26
9Colombia24
10Ukraine22

Saturday, December 19, 2009

Botnet Statistics [2009-12-18]

After 8 hours of mental exercise, I have finished writing the needed scripts to combine data from both the old and new detection systems. Hope there is not too many bugs in my scripts. From now on, data presented here will be the combined result. With those scripts in hand, building more detection systems will not take too much effort.

detection period: 2009-12-18 00:00-23:59 UTC
total number of suspected botnet IPs: 3560
number of botnet IPs notified to network operators: 3326

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET1078
2BSNLNET404
3TFN-NET253
4APOL-NET248
5CHINANET-GD140
6002.558.157/0001-62118
7AR-TEAR7-LACNIC94
8RCOM58
9TATACOMM-IN51
10002.558.134/0001-5842

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan1589
2India587
3China468
4Brazil351
5Argentina152
6Russian Federation77
7Colombia27
8Thailand22
9Ethiopia22
10Ukraine21

Friday, December 18, 2009

Botnet Statistics [2009-12-17]

I should write some scripts to automatically combine numbers from both detection systems. Manual calculation is error-prone. Taiwan's numbers are taken from the new detection system, while other countries' numbers are taken from the old one.

detection period: 2009-12-17 00:00-23:59 UTC
total number of suspected botnet IPs: 3477
number of botnet IPs notified to network operators: 3266

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET1024
2APOL-NET593
3TFN-NET307
4BSNLNET218
5CHINANET-GD140
6002.558.157/0001-6291
7AR-TEAR7-LACNIC57
8RCOM42
9UNICOM-SD38
10002.558.134/0001-5832

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan1927
2China430
3India344
4Brazil268
5Argentina102
6Russian Federation78
7Colombia25
8Ukraine23
9United States18
10Thailand18

Thursday, December 17, 2009

Botnet Statistics [2009-12-16]

Bots from countries other than Taiwan started to show up in the new detection system, though the overwhelming majority (more than 99%) were still from Taiwan. Today's statistics is calculated in the same way as yesterday. I take most of the numbers from the old detection system. Only Taiwan's numbers (as there are many networks in Taiwan) of bots are taken from the new system.

detection period: 2009-12-16 00:00-23:59 UTC
total number of suspected botnet IPs: 4867
number of botnet IPs notified to network operators: 4629

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET2163
2CHINANET-GD352
3APOL-NET338
4BSNLNET299
5TFN-NET295
6002.558.157/0001-6290
7AR-TEAR7-LACNIC65
8RCOM49
9TATACOMM-IN47
10UNICOM-SD46

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan2796
2China669
3India453
4Brazil290
5Argentina121
6Russian Federation110
7United States79
8Ukraine30
9South Korea27
10Colombia22

Wednesday, December 16, 2009

Botnet Statistics [2009-12-15]

I set up another botnet detection system about 10 days ago. Although it employees the same detection technique as the old one, the results are vastly different. Almost all botnet computers it detected were located in Taiwan, but I can't explain it. Today I tried to combine the botnet statistics from both systems.

detection period: 2009-12-15 00:00-23:59 UTC
total number of suspected botnet IPs: 5408
number of botnet IPs notified to network operators: 5178

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET2585
2CHINANET-GD544
3APOL-NET461
4BSNLNET233
5TFN-NET183
6002.558.157/0001-6299
7AR-TEAR7-LACNIC85
8TATACOMM-IN41
9UNICOM-SD38
10RCOM38

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan3229
2China837
3India367
4Brazil288
5Argentina140
6United States97
7Russian Federation78
8Colombia29
9South Korea26
10Ukraine25

Tuesday, December 15, 2009

Botnet Statistics [2009-12-14]

detection period: 2009-12-14 00:00-23:59 UTC
total number of suspected botnet IPs: 2143
number of botnet IPs notified to network operators: 1908

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1CHINANET-GD507
2BSNLNET287
3002.558.157/0001-6297
4AR-TEAR7-LACNIC66
5RCOM45
6TATACOMM-IN34
7UNICOM-SD32
8CHINANET-ZJ-WZ29
9002.558.134/0001-5829
10HATHWAY-NET28

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1China789
2India433
3Brazil259
4Argentina118
5United States91
6Russian Federation77
7Taiwan27
8South Korea27
9Ukraine22
10United Kingdom21

Monday, December 14, 2009

Botnet Statistics [2009-12-13]

Today I learned something new. I have always thought the country code for the United Kingdom was "UK." Not so. As a new country code "GB" landed at number 10, now I know it stands for the United Kingdom. Great Britain, perhaps?

detection period: 2009-12-13 00:00-23:59 UTC
total number of suspected botnet IPs: 1749
number of botnet IPs notified to network operators: 1566

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1CHINANET-GD608
2BSNLNET75
3AR-TEAR7-LACNIC56
4002.558.157/0001-6238
5AR-CASA10-LACNIC28
6CHINANET-ZJ-WZ25
7CHINANET-JS25
8UNICOM-SD24
9HINET-NET24
10002.558.134/0001-5821

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1China882
2Brazil149
3India122
4Argentina115
5United States79
6Russian Federation66
7Taiwan41
8South Korea31
9Ukraine22
10United Kingdom20

Sunday, December 13, 2009

Botnet Statistics [2009-12-12]

The top 6 countries on my botnet chart were always (in alphabetic order): Argentina, Brazil, China, India, Russian Federation, and Taiwan. Not any more! The new comer is United States, landed at number 6. Russian Federation is at the 7th spot now.

detection period: 2009-12-12 00:00-23:59 UTC
total number of suspected botnet IPs: 2059
number of botnet IPs notified to network operators: 1852

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1CHINANET-GD357
2HINET-NET293
3BSNLNET197
4AR-TEAR7-LACNIC64
5RCOM54
6002.558.157/0001-6252
7000.065.376/0002-6529
8UNICOM-SD28
9002.558.134/0001-5828
10TATACOMM-IN24

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1China639
2India320
3Taiwan306
4Brazil201
5Argentina111
6United States100
7Russian Federation66
8South Korea33
9Colombia22
10Thailand18

Saturday, December 12, 2009

Botnet Statistics [2009-12-11]

detection period: 2009-12-11 00:00-23:59 UTC
total number of suspected botnet IPs: 4070
number of botnet IPs notified to network operators: 3874

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET2219
2CHINANET-GD418
3BSNLNET148
4002.558.157/0001-6287
5AR-TEAR7-LACNIC53
6CHINANET-JS40
7UNICOM-SD33
8CHINANET-ZJ-WZ33
9RCOM32
10TATACOMM-IN28

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan2232
2China838
3India248
4Brazil243
5Argentina100
6Russian Federation68
7United States49
8Thailand18
9South Korea18
10Colombia18

Friday, December 11, 2009

Botnet Statistics [2009-12-10]

detection period: 2009-12-10 00:00-23:59 UTC
total number of suspected botnet IPs: 1071
number of botnet IPs notified to network operators: 925

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1CHINANET-GD182
2BSNLNET81
3002.558.157/0001-6241
4HINET-NET39
5RCOM26
6AR-TEAR7-LACNIC24
7CHINANET-JS23
8UNICOM-SD19
9TATACOMM-IN19
10000.065.376/0002-6519

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1China399
2Brazil154
3India153
4Taiwan54
5Argentina47
6Russian Federation40
7South Korea19
8Ukraine16
9United States15
10Colombia12

Thursday, December 10, 2009

Botnet Statistics [2009-12-09]

detection period: 2009-12-09 00:00-23:59 UTC
total number of suspected botnet IPs: 2179
number of botnet IPs notified to network operators: 1945

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1CHINANET-GD465
2BSNLNET238
3002.558.157/0001-6298
4AR-TEAR7-LACNIC64
5HINET-NET51
6RCOM47
7TATACOMM-IN45
8CHINANET-JS43
9UNICOM-SD37
10002.558.134/0001-5836

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1China891
2India398
3Brazil293
4Argentina115
5Taiwan72
6Russian Federation66
7Colombia28
8Thailand23
9Ukraine22
10United States20

Wednesday, December 9, 2009

Botnet Statistics [2009-12-08]

detection period: 2009-12-08 00:00-23:59 UTC
total number of suspected botnet IPs: 4071
number of botnet IPs notified to network operators: 3841

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET2108
2BSNLNET266
3CHINANET-GD262
4002.558.157/0001-6292
5AR-TEAR7-LACNIC83
6RCOM51
7TATACOMM-IN40
8UNICOM-SD38
9CHINANET-ZJ-WZ36
10002.558.134/0001-5836

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan2126
2China663
3India412
4Brazil298
5Argentina147
6Russian Federation70
7Thailand33
8Ukraine31
9United States25
10Uruguay18

Tuesday, December 8, 2009

Botnet Statistics [2009-12-07]

detection period: 2009-12-07 00:00-23:59 UTC
total number of suspected botnet IPs: 4236
number of botnet IPs notified to network operators: 4017

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET2710
2BSNLNET214
3002.558.157/0001-6284
4AR-TEAR7-LACNIC71
5CHINANET-GD68
6TATACOMM-IN40
7RCOM38
8002.558.134/0001-5834
9UNICOM-SD28
10HATHWAY-NET24

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan2724
2China366
3India350
4Brazil263
5Argentina123
6Russian Federation76
7Thailand27
8Ukraine23
9Colombia22
10United States19

Monday, December 7, 2009

Botnet Statistics [2009-12-06]

detection period: 2009-12-06 00:00-23:59 UTC
total number of suspected botnet IPs: 1893
number of botnet IPs notified to network operators: 1720

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET812
2BSNLNET79
3AR-TEAR7-LACNIC64
4002.558.157/0001-6255
5CHINANET-GD43
6002.558.134/0001-5831
7UNICOM-SD30
8AR-CASA10-LACNIC26
9000.065.376/0002-6520
10UNICOM-HA18

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan824
2China295
3Brazil181
4India134
5Argentina114
6Russian Federation69
7Thailand25
8South Korea24
9Ukraine18
10United States17

Sunday, December 6, 2009

Botnet Statistics [2009-12-05]

detection period: 2009-12-05 00:00-23:59 UTC
total number of suspected botnet IPs: 2919
number of botnet IPs notified to network operators: 2751

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET1664
2BSNLNET190
3CHINANET-GD59
4002.558.157/0001-6249
5AR-TEAR7-LACNIC48
6RCOM38
7UNICOM-SD37
8TATACOMM-IN37
9002.558.134/0001-5827
10UNICOM-HA25

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan1683
2China409
3India317
4Brazil157
5Argentina89
6Russian Federation58
7Colombia16
8United States15
9Ukraine15
10Thailand14

Saturday, December 5, 2009

Botnet Statistics [2009-12-04]

detection period: 2009-12-04 00:00-23:59 UTC
total number of suspected botnet IPs: 1530
number of botnet IPs notified to network operators: 1331

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1BSNLNET222
2CHINANET-GD88
3002.558.157/0001-6265
4AR-TEAR7-LACNIC57
5RCOM46
6TATACOMM-IN44
7UNICOM-SD41
8CHINANET-JS31
9002.558.134/0001-5828
10UNICOM-HA24

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1China498
2India366
3Brazil202
4Argentina100
5Russian Federation62
6Taiwan44
7Thailand21
8Ukraine19
9Colombia18
10South Korea15

Friday, December 4, 2009

Botnet Statistics [2009-12-03]

detection period: 2009-12-03 00:00-23:59 UTC
total number of suspected botnet IPs: 2316
number of botnet IPs notified to network operators: 2072

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1CHINANET-GD412
2BSNLNET245
3002.558.157/0001-62104
4HINET-NET64
5UNICOM-SD63
6AR-TEAR7-LACNIC63
7TATACOMM-IN41
8RCOM38
9CHINANET-JS38
10AR-CASA10-LACNIC32

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1China984
2India379
3Brazil314
4Argentina128
5Taiwan81
6Russian Federation72
7Thailand28
8Colombia25
9United States23
10Ukraine22

Thursday, December 3, 2009

Botnet Statistics [2009-12-02]

detection period: 2009-12-02 00:00-23:59 UTC
total number of suspected botnet IPs: 1996
number of botnet IPs notified to network operators: 1737

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1CHINANET-GD295
2BSNLNET280
3002.558.157/0001-62111
4AR-TEAR7-LACNIC92
5RCOM51
6TATACOMM-IN45
7002.558.134/0001-5845
8UNICOM-SD33
9002.449.992/0001-6432
10HINET-NET28

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1China619
2India428
3Brazil315
4Argentina161
5Russian Federation89
6Taiwan40
7Ukraine36
8Colombia24
9Thailand23
10United States22

Wednesday, December 2, 2009

Botnet Statistics [2009-12-01]

HiNet in Taiwan got a surprising surge in botnet computers. My detection system logged more than 2000 botnet IPs from HiNet. Is this an outbreak of a new attack vector?

detection period: 2009-12-01 00:00-23:59 UTC
total number of suspected botnet IPs: 3723
number of botnet IPs notified to network operators: 3499

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET2112
2CHINANET-GD252
3BSNLNET101
4002.558.157/0001-6294
5AR-TEAR7-LACNIC78
6002.558.134/0001-5839
7UNICOM-SD31
8002.449.992/0001-6431
9AR-CASA10-LACNIC27
10AR-PRSA-LACNIC25

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan2127
2China558
3Brazil295
4India182
5Argentina143
6Russian Federation77
7United States44
8Colombia26
9Ukraine25
10Thailand21

Tuesday, December 1, 2009

Botnet Statistics [2009-11-30]

detection period: 2009-11-30 00:00-23:59 UTC
total number of suspected botnet IPs: 2524
number of botnet IPs notified to network operators: 2291

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET627
2CHINANET-GD264
3BSNLNET215
4AR-TEAR7-LACNIC103
5002.558.157/0001-6296
6002.558.134/0001-5856
7UNICOM-SD40
8TATACOMM-IN31
9RCOM28
10CHINANET-ZJ-WZ28

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1China661
2Taiwan641
3India324
4Brazil288
5Argentina165
6Russian Federation69
7Thailand36
8Ukraine35
9United States26
10Colombia26

Monday, November 30, 2009

Botnet Statistics [2009-11-29]

detection period: 2009-11-29 00:00-23:59 UTC
total number of suspected botnet IPs: 3205
number of botnet IPs notified to network operators: 2962

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET1764
2AR-TEAR7-LACNIC142
3BSNLNET118
4002.558.157/0001-6289
5CHINANET-GD63
6002.558.134/0001-5848
7UNICOM-SD38
8CHINANET-ZJ-WZ35
9000.065.376/0002-6532
10AR-CASA10-LACNIC31

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan1780
2China355
3Brazil261
4Argentina213
5India169
6Russian Federation103
7Thailand40
8Ukraine28
9Uruguay23
10Colombia22

Sunday, November 29, 2009

Botnet Statistics [2009-11-28]

detection period: 2009-11-28 00:00-23:59 UTC
total number of suspected botnet IPs: 2682
number of botnet IPs notified to network operators: 2390

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET947
2BSNLNET273
3AR-TEAR7-LACNIC139
4002.558.157/0001-62107
5002.558.134/0001-5864
6UNICOM-SD45
7RCOM40
8TATACOMM-IN37
9CHINANET-GD36
10AR-PRSA-LACNIC35

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan958
2India404
3China319
4Brazil311
5Argentina221
6Russian Federation107
7Thailand53
8Ukraine30
9Mexico23
10Colombia21

Saturday, November 28, 2009

Botnet Statistics [2009-11-27]

detection period: 2009-11-27 00:00-23:59 UTC
total number of suspected botnet IPs: 2635
number of botnet IPs notified to network operators: 2328

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET733
2BSNLNET367
3AR-TEAR7-LACNIC119
4002.558.157/0001-62117
5002.558.134/0001-5849
6UNICOM-SD47
7RCOM43
8TATACOMM-IN40
9AR-PRSA-LACNIC33
10CHINANET-GD32

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan744
2India508
3China398
4Brazil336
5Argentina193
6Russian Federation108
7Thailand43
8Ukraine39
9Colombia22
10Chile18

Friday, November 27, 2009

Botnet Statistics [2009-11-26]

detection period: 2009-11-26 00:00-23:59 UTC
total number of suspected botnet IPs: 2063
number of botnet IPs notified to network operators: 1721

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1BSNLNET399
2AR-TEAR7-LACNIC117
3002.558.157/0001-6298
4RCOM55
5002.558.134/0001-5854
6TATACOMM-IN53
7CHINANET-GD49
8UNICOM-SD46
9AR-PRSA-LACNIC31
10UKRTELNET29

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1India573
2China434
3Brazil314
4Argentina194
5Russian Federation105
6Taiwan41
7Ukraine40
8Thailand33
9Colombia24
10Uruguay21

Thursday, November 26, 2009

Botnet Statistics [2009-11-25]

detection period: 2009-11-25 00:00-23:59 UTC
total number of suspected botnet IPs: 1963
number of botnet IPs notified to network operators: 1640

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1BSNLNET322
2AR-TEAR7-LACNIC136
3002.558.157/0001-62128
4RCOM52
5002.558.134/0001-5850
6UNICOM-SD44
7TATACOMM-IN42
8HINET-NET34
9CHINANET-GD34
10UKRTELNET31

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1India482
2Brazil361
3China349
4Argentina208
5Russian Federation101
6Taiwan47
7Ukraine44
8Thailand43
9Colombia27
10Mexico26

Wednesday, November 25, 2009

Botnet Statistics [2009-11-24]

detection period: 2009-11-24 00:00-23:59 UTC
total number of suspected botnet IPs: 2265
number of botnet IPs notified to network operators: 1884

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1BSNLNET348
2HINET-NET191
3AR-TEAR7-LACNIC150
4002.558.157/0001-62126
5CHINANET-GD111
6TATACOMM-IN52
7UNICOM-SD47
8RCOM46
9002.558.134/0001-5844
10002.449.992/0001-6432

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1India514
2China427
3Brazil350
4Argentina233
5Taiwan208
6Russian Federation97
7Thailand43
8Ukraine38
9Colombia30
10Uruguay26

Tuesday, November 24, 2009

Botnet Statistics [2009-11-23]

detection period: 2009-11-23 00:00-23:59 UTC
total number of suspected botnet IPs: 2235
number of botnet IPs notified to network operators: 1846

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1BSNLNET325
2HINET-NET190
3AR-TEAR7-LACNIC134
4002.558.157/0001-62108
5CHINANET-GD95
6002.558.134/0001-5851
7UNICOM-SD47
8RCOM47
9TATACOMM-IN45
10AR-CASA10-LACNIC38

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1India490
2China435
3Brazil343
4Argentina219
5Taiwan207
6Russian Federation110
7Ukraine37
8Thailand35
9Indonesia25
10Colombia22

Monday, November 23, 2009

Botnet Statistics [2009-11-22]

detection period: 2009-11-22 00:00-23:59 UTC
total number of suspected botnet IPs: 1863
number of botnet IPs notified to network operators: 1570

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET379
2BSNLNET131
3AR-TEAR7-LACNIC114
4002.558.157/0001-6273
5UNICOM-SD44
6CHINANET-GD38
7AR-PRSA-LACNIC34
8002.558.134/0001-5833
9000.065.376/0002-6530
10AR-CASA10-LACNIC29

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan402
2China332
3Brazil241
4India198
5Argentina191
6Russian Federation118
7Thailand31
8Uruguay28
9Ukraine25
10Indonesia21

Sunday, November 22, 2009

Botnet Statistics [2009-11-21]

detection period: 2009-11-21 00:00-23:59 UTC
total number of suspected botnet IPs: 2023
number of botnet IPs notified to network operators: 1709

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET516
2BSNLNET209
3AR-TEAR7-LACNIC108
4002.558.157/0001-6273
5UNICOM-SD41
6TATACOMM-IN35
7AR-CASA10-LACNIC33
8RCOM29
9HATHWAY-NET27
10000.065.376/0002-6527

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan539
2India327
3China298
4Brazil240
5Argentina178
6Russian Federation82
7Thailand42
8Ukraine24
9Uruguay20
10Indonesia19

Saturday, November 21, 2009

Botnet Statistics [2009-11-20]

detection period: 2009-11-20 00:00-23:59 UTC
total number of suspected botnet IPs: 1965
number of botnet IPs notified to network operators: 1618

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1BSNLNET353
2AR-TEAR7-LACNIC101
3002.558.157/0001-6281
4HINET-NET71
5CHINANET-GD61
6TATACOMM-IN60
7UNICOM-SD47
8002.558.134/0001-5841
9RCOM37
10AR-PRSA-LACNIC30

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1India514
2China397
3Brazil280
4Argentina176
5Russian Federation103
6Taiwan99
7Ukraine42
8Thailand40
9Colombia26
10Indonesia17

Friday, November 20, 2009

Botnet Statistics [2009-11-19]

detection period: 2009-11-19 00:00-23:59 UTC
total number of suspected botnet IPs: 2237
number of botnet IPs notified to network operators: 1867

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1BSNLNET351
2HINET-NET173
3CHINANET-GD143
4AR-TEAR7-LACNIC114
5002.558.157/0001-62107
6002.558.134/0001-5857
7UNICOM-SD47
8TATACOMM-IN42
9RCOM35
10HATHWAY-NET34

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1India505
2China467
3Brazil341
4Taiwan200
5Argentina196
6Russian Federation108
7Ukraine48
8Thailand41
9Colombia28
10Ethiopia19

Thursday, November 19, 2009

Botnet Statistics [2009-11-18]

detection period: 2009-11-18 00:00-23:59 UTC
total number of suspected botnet IPs: 2280
number of botnet IPs notified to network operators: 1911

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET343
2BSNLNET280
3002.558.157/0001-62101
4AR-TEAR7-LACNIC95
5CHINANET-GD78
6UNICOM-SD47
7002.558.134/0001-5843
8002.449.992/0001-6440
9TATACOMM-IN37
10RCOM35

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1China456
2India422
3Taiwan368
4Brazil330
5Argentina165
6Russian Federation85
7Ukraine44
8Thailand34
9Colombia31
10South Korea26

Wednesday, November 18, 2009

Botnet Statistics [2009-11-17]

detection period: 2009-11-17 00:00-23:59 UTC
total number of suspected botnet IPs: 2859
number of botnet IPs notified to network operators: 2486

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET699
2BSNLNET353
3002.558.157/0001-62119
4AR-TEAR7-LACNIC107
5CHINANET-GD68
6UNICOM-SD52
7TATACOMM-IN52
8RCOM44
9002.558.134/0001-5843
10002.449.992/0001-6433

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1Taiwan728
2India526
3China518
4Brazil354
5Argentina177
6Russian Federation82
7Ukraine43
8Colombia34
9Thailand29
10United States22

Tuesday, November 17, 2009

Botnet Statistics [2009-11-16]

detection period: 2009-11-16 00:00-23:59 UTC
total number of suspected botnet IPs: 2158
number of botnet IPs notified to network operators: 1794

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1BSNLNET323
2002.558.157/0001-62110
3AR-TEAR7-LACNIC98
4HINET-NET92
5CHINANET-GD79
6UNICOM-SD55
7RCOM43
8TATACOMM-IN39
9002.558.134/0001-5839
10AR-CASA10-LACNIC33

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1China574
2India458
3Brazil321
4Argentina169
5Taiwan125
6Russian Federation93
7Ukraine45
8Thailand26
9South Korea22
10Colombia19

Monday, November 16, 2009

Botnet Statistics [2009-11-15]

detection period: 2009-11-15 00:00-23:59 UTC
total number of suspected botnet IPs: 1894
number of botnet IPs notified to network operators: 1595

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1HINET-NET280
2BSNLNET156
3CHINANET-GD142
4AR-TEAR7-LACNIC112
5002.558.157/0001-6259
6UNICOM-SD42
7002.558.134/0001-5833
8UKRTELNET28
9AR-CASA10-LACNIC25
10UY-ANTA-LACNIC23

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1China454
2Taiwan304
3Brazil224
4India207
5Argentina164
6Russian Federation89
7United States72
8Ukraine42
9Thailand32
10Uruguay23

Sunday, November 15, 2009

Botnet Statistics [2009-11-14]

detection period: 2009-11-14 00:00-23:59 UTC
total number of suspected botnet IPs: 2566
number of botnet IPs notified to network operators: 2188

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1CHINANET-GD494
2HINET-NET351
3BSNLNET213
4002.558.157/0001-6281
5AR-TEAR7-LACNIC72
6UNICOM-SD46
7RCOM44
8TATACOMM-IN33
9AR-CASA10-LACNIC28
10UKRTELNET23

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

RankCountry# of suspected botnet IPs
1China882
2Taiwan381
3India344
4Brazil226
5Argentina135
6United States101
7Russian Federation75
8Ukraine33
9Thailand31
10South Korea26

Saturday, November 14, 2009

Botnet Detection with Greylisting

So how do we uncover botnets? If you google for botnet tracking, you will find that honeypots are often listed in the first page of search results. The strength of honeypots lies in their effectiveness at collecting malware binaries, which are needed to gain a deeper understanding of botnets. As I only track botnets so as to notify unsuspecting victims, and have no interest nor expertise to study the inner working of malware, honeypots are not really made for me. How to attract botnets to interact with honeypots is also a problem.

As I said before, my botnet detection strategy is to follow the spam upstream. According to the Q2/June edition of the MessageLabs Intelligence monthly report, 83.2% of all spam was sent via botnets. The fact is, botnets has accounted for more than half of global spam for several years. Isn't that convenient for us if we want to find botnets? If you manage your own mail server, and get a lot of spam every day, perhaps your server have been interacting with botnets all the time. The remaining problem, is how to identify botnet computers.

Thanks to greylisting, mail servers can easily filter out incoming spam from botnets. The SMTP engines built within malware often are not full blown SMTP servers, as malware authors tend to cut off the retry function of SMTP protocol. Greylisting takes advantage of that and is able to differentiate botnet computers from real mail servers by their lack of retry behavior. To extend from this, mail sending hosts which could not pass greylisting are very likely to be botnet computers, which are exactly what we look for.

Greylisting is a very powerful botnet tracking technique. Once a botnet computer begins to send out malicious mail, be it spam, virus or phishing mail, it will soon be detected by greylisting. If mail servers deploying greylisting could contribute their mail logs to compile the IP address list of suspected botnet computers, the useful life of botnets to cyber criminals will be greatly shortened, which will eventually lead to the demise of botnets. At least it should reduce bot-sent spam to a minimun, I hope.

I have posted my greylisting implementation, comments or questions are welcomed.