What happened with the CBL false listings?

The CBL issued a statement and explanation for the false positives. Copying it here because there doesn’t seem to be a way to link directly to the statement on the CBL front page.

November 24, 2015 Widespread false positives
Earlier today, a very large scale Kelihos botnet event occured – by large scale, many email installations will be seeing in excess of 20% kelihos spam, and some will see their inbound email volume jump by a volume of as much as 500%. This isn’t an unusual thing normally, the CBL/XBL has been successfully dealing with large scale Kelihos spam spikes like this, often daily, for years.
The email was allegedly from the US Federal Reserve, saying something about restrictions in “U.S. Federal Wire and ACH online payments.” Not only was the notice itself fraudulent, the attached Excel spreadsheet (.xls) contained macro instructions (a downloader) to download a Windows executable virus, most likely Dyreza or Dridex malware.
The detection rules initially deployed by the CBL unfortunately were insufficiently detailed, and listed a number of IP addresses in error.
As per our policy, all entries of this type were purged (by about 19:05 UTC), and the detection heuristic removed.
If you were listed up to around 19:00 UTC, and the CBL lookup page appears to indicate that the IP is no longer listed, this is likely the explanation, and no further action is required on your part.

Out of curiosity I checked my own mailboxes. Since the first “Federal Reserve Spam” delivered at around 3:45 this morning, I’ve received 252 spams. 124 of those were the Kelihos bot spam. So it’s a good half of today’s spam volume. Yesterday’s total spam volume was around 328. A noticeable increase here.
 

Related Posts

Biggest botnet takedown to date

Yesterday law enforcement officials arrested 6 people and charged them with running a massive internet fraud ring. Over 4 million PCs were part of the botnet.
According to the FBI

Read More

Another one bites the dust

NASK (the Polish domain registry) has taken over a number of domain names used in spreading viruses and infections.

Read More

Whirlwind that is M3AAWG

It’s been a great conference, and it’s only about half done. As is common at these conferences, I write down lots of things we should do and need to publish. The difference is now that we are growing I may have the time to put the polish on them and get them published.
Today’s keynote discussed the economics of botnet mitigation. Michel van Eeten from Delft University of Technology presented information compiled from some different datasets about botnets.
Good news
Botnet infection rates are relatively stable. They’ve not spiraled out of control like some people were predicting.
Interesting news
More than 50% of bot infections are contained on 50 ISPs in the entire world.
Bad news
Centers set up specifically to fix botnet infections don’t really have a big impact on infection cure rate.
Good news
ISP actions and walled gardens do have an impact on infection cure rates.
The biggest take away from the session is that ISPs are critical in both protecting from infection and helping users cure infection once it happens.

Read More