Let's look at the botnets associated with the
Kelihos rampage
in the
October 2012
.
Two botnets turn up the most Maazben and Kelihos.
Why call it the Kelihos rampage, then?
Because CBL's detection of each botnet depends on numerous continually-evolving heuristics, and in this case the same one is being triggered for both Maazen and Kelihos, and CBL thinks that particular heuristic is more characteristic of Kelihos.
The pattern is easier to see if we look at a single ASN's botnets, such as #1 ranked AS 16276 OVH Systems:
Overall spam volume for AS 16276 is indicated by the solid dark blue line. Maazben is the dotted cyan line peaking on 18, 23, and 29 October. Kelihos is the purple line peaking on 22, 26, and 30 October. There's also a green n/a line peaking on 24 October. This kind of choppiness switching back and forth between a couple of predominate botnets is a symptom of the same heuristic being used to detect both botnets. Whatever we call it, this botnet is wreaking havoc across the Internet in this Kelihos rampage.
-jsq
Comments