A couple of months ago, I posted an article that my own internal statistics did not suggest that Australia was a hotbed of zombie activity. This was a follow up response to a previous post where I highlighted that Australia was kicking infected zombie PCs off their networks (or at least quarantining them). At the time, I said that Australia does have some spam and zombie activity associated with it but it appears to be a small player compared to the others like the US, South Korea, China, Brazil, and so forth.
I have an update.
Over the past month, I decided to check to see which countries had IPs associated with particular botnets. I found some interesting trends. Of the 14 botnets that I track:
- South Korea is the worst country for IPs that are spamming, placing number 1 or 2 for the bagle-cb, cutwail1/2, donbot, grum, mega-d and rustock botnets that send us mail that I am able to track. This is half of all the botnets that I keep statistics on.
- The United States is the worst country for IPs in the following, placing number 1 or 2 for bagle-cb, darkmailer, festi, gheg, grum2 (but not 1), rustock (by a long shot) and waledac. This is half of the botnets I have statistics on. Note that there is some overlap.
- Australia just doesn’t seem to be a major player… except in one botnet – Lethic. This is very interesting to me; the global list of IP addresses does not list Australia as the most prolific country for Lethic. However, for IPs that send us spam, Australia is number one in Lethic by quite some ways. Below is the distribution chart:
My intelligence on lethic suggests that as a botnet it is not the biggest in terms of number of IPs, but the number of messages it sends per email envelope is the most out of all of the ones I track. Thus, it does account for a very large percentage of spam simply due to how much it attempts to stuff into each message.
Why we see this anomaly is puzzling to me, but note the trend – pre-dominantly speaking English countries make up the top 10: Australia, the United States, Canada, New Zealand (?) and Great Britain. Even the Netherlands and Norway have populations that speak English very well. That is seven of the top ten countries that send us spam (over the past month) have strong English speaking populations, and are infected with Lethic. Why is this the case? I don’t know. Perhaps the bots that infect these countries have malware attack vectors that are primarily in English. If I look at Microsoft’s SIR v7, the top threats are:
Australia: (1) Renos (2) ZangoSearchAssistant (3) Alureon
USA: (1) FakeXPA (2) Renos (3) ZangoSearchAssistant
Great Britain: (1) ZangoSearchAssistant, (2) Renos (3) ZangoShoppingreports
Norway: (1) ZangoSearchAssistant (2) Renos (3) Vundo
Note that this data is from 1H2009 so it could be old and there could be no relation. I don’t have updated numbers but I could always check; if I get them I will post them. But the two common threads here are the ZangoSearchAssistant and Renos. The ZangoSearchAssistant monitors your web browsing activity and displays pop-up ads. Renos automatically downloads potentially unwanted software such as SpySheriff, SpyAxe, etc. These programs typically present erroneous warnings claiming the system is infected with spyware and offer to remove the alleged spyware for a fee.
I can’t say whether or not that there is a link between these two pieces of malware but it does look like the English speaking countries are more susceptible to them. Whether or not there is a link between them and lethic I cannot say as the numbers are not new enough, but perhaps there might be a relationship between certain pieces of malware and the lethic botnet after all.