The rise of the Satori botnet and the fall of the Andromeda (Gamarue) botnet are the main two factors that have led to a 50% growth of the Spamhaus Exploits Block List (XBL) during the past month.
The XBL is a real-time database of IP addresses of hijacked PCs infected by illegal third-party exploits, including open proxies, worms/viruses with built-in spam engines, and other types of trojan-horse exploits.
Spamhaus experts do an excellent job of keeping the XBL list up to date, and because of this, ISPs and many providers of cyber-security solutions integrate the XBL blocklist in their products and services.
Over the course of this month, the XBL grew 50% of its original size in a surge that most users would see alarming. The reality of the fact is that this jump also has a positive side.
The positive side is that the takedown of the Andromeda (Gamarue) botnet has seen authorities get their hands on a list of over 6 million IP addresses of computers infected with this malware. This list has made its way to the Spamhaus team, which have added it to the XBL block list.
Despite the positive news about Andromeda's takedown and subsequent blacklist, it's very likely that we haven't seen the last of this botnet.
This is because the Andromeda malware source code leaked online many years before, and while European authorities arrested the operator of the biggest Andromeda botnet, someone could still take the original malware code and build a new botnet in the upcoming months.
You cannot takedown andromeda. You can only arrest people using andromeda. Andromeda's builder as leaks some years ago and a lot of crooks are using it.— Benkow moʞuƎq (@benkow_) December 5, 2017
But the bad news doesn't end here. While the largest part of the XBL growth came from the Andromeda takedown, the XBL's increase can also be attributed to the rise of a few IoT botnets.
Of these, the botnet identified as Satori (also known as the Mirai Okiru variant) contributed by far the most to the XBL.
At the time it was first discovered, there were over 280,000 infected bots scanning ports 37215 and 52869 and attempting to infect new devices. That number has increased over the following days, as the botnet continued to operate and mine the public IP pool for more possible victims.
Honeypots have allowed Spamhaus and other researchers to gather lists of IP addresses of infected devices, IPs that have been added to the XBL.
While ProxyM and some other Mirai IoT botnets have also been quite active in recent months, they pale in comparison to the size of Satori, which just yesterday began another massive scan campaign to look for new victims, according to experts from LloydsLabs and Qihoo 360 Netlab who spoke with your reporter.
Overall, while Satori appears to be the main threat at the time of writing, Spamhaus highlights the danger of IoT botnets in a tell-tale statistic from the past year.
"The total number of IoT entries in the XBL has increased from just under 1 million to over 2.5 million," said Ray, a member of the Spamhaus XBL/CBL Team. "As of today, Egypt is in the lead with approximately 1.2 million Mirai infections detected."
As Spamhaus points out, most of these IoT threats are botnets built on top of the leaked Mirai source code. Last week, three men pleaded guilty to creating the original Mirai malware, which they later leaked online in October 2016.