The Spamhaus Project
BETA

news

Did anyone recently notice that the Spamhaus XBL just got really big?

Yes, the XBL grew by over 50%! Over the past three weeks, some of our users have noticed that the XBL (CBL) database has grown substantially in size. There are two major reasons for this. 1) Increase from the Internet of Things (IoT) There has been a substantial increase...

by The Spamhaus TeamDecember 19, 20172 minutes reading time
DNSBL
Malware

Jump to

Yes, the XBL grew by over 50%!

Yes, the XBL grew by over 50%!

Over the past three weeks, some of our users have noticed that the XBL (CBL) database has grown substantially in size. There are two major reasons for this.

1) Increase from the Internet of Things (IoT)

There has been a substantial increase in the amount of IoT scanning. Which means that the operators of IoT malicious botnets are trying to grow their populations of hacked devices. We noticed an oddity where Argentina seems to have had more than their fair share of the increase. This may have something to do with compromises being found in devices common to Argentinian ISP customers. For example, a new IoT variant similar to Mirai called Satori has appeared and seems to be attacking the Huawei Home Gateway routers in particular.

The total number of IoT entries in the XBL has increased from just under 1 million to over 2.5 million.

As of today, Egypt is in the lead with approximately 1.2 million Mirai infections detected. This is suggestive that one or more ISPs there are distributing access modems/routers that are particularly vulnerable to this wave of Mirai attacks.

2) Increase from the Andromeda botnet takedown

The Andromeda Takedown on November 29, 2017 has resulted in the entire Andromeda (a/k/a Gamarue) Command and Control (C&C) network being taken over. We get a feed of this data, which has led to the number of entries to skyrocket from a few tens-of-thousands to now over 6 million.

The XBL data

Most Spamhaus XBL users query our zones via DNS and will not have noticed the size change as the data is presented one entry at a time. Those who have larger traffic or wish to do their own analysis of this real-time feed can subscribe to an rsync feed of the XBL.

As one can see, the growth of the XBL zone, which is normally seen as a bad-thing since it usually tracks the increase in compromised systems, can at times also point to something good. In this case, the dismantling of a large, notorious, botnet system.

««»»