New infection spike at ThePlanet

We noticed a large spike of activity on December 31, 2009 on ThePlanet’s network block 21844. The data can be viewed here:
http://stopbadware.org/reports/asn/21844
It is quite obvious that a large number of websites were infected at the same time just as can be said of October 1, 2009. We created two lists of URLs for December 30, 2009 and December 31, 2009. Comparing those two lists we were able to determine which websites were infected on that day and resolved the IP addresses for each. Using a simple distribution analysis of infections per IP address we are able to see that a majority of the infections (353) are spread out across the IP space. However roughly 70 of the IP addresses have 25 infections each. The highest infections (between 32-84) occur on single IP addresses.

We have emailed the abuse team at ThePlanet with this information with the hopes they will focus their efforts on those particular machines.

174.120.120.151 84
174.132.194.9 84
67.19.140.10 77
67.18.123.220 44
69.93.161.54 32
70.85.61.66 26

It is important to note that this only represents the 2000 infections seen occurring on December 31, 2009. It would be trivial to analyze the remaining 14,000 infections seen on just that network block alone. As soon as we hear back from the team at ThePlanet we will be sure to help them with this.

EDIT: The spike on Oct 1 was due to an issue with our resolver and exists across the board.