About two weeks ago we noticed a huge spike of activity on AS 35908 which belongs to Krypt Technologies. If you click on the AS link you will see the actual numbers we recorded at StopBadware. 15,000 infections came out of no where and spiked to 20,000 in the matter of 48 hours. I tried contacting them via email but I imagine the abuse inbox had been lighting up due to complaints. As I was researching the network for other avenues of communication I got lucky and noticed they had recently set up a Twitter account! I fired off a polite tweet describing the situation (not entirely easy to do in 140 characters). I had to tweet publicly since they hadn’t auto-followed me when I started following them. I received an immediate response both publicly and privately stating they would ping their abuse team. I also tried a few hidden channels (mostly private mailing lists) to try and raise communications.

Very soon after I received an email from the manager of the abuse team. I explained our intentions and the types of information we could deliver to them. Immediately I sent a list of the infected URLs and a distribution analysis of the list as IP addresses. It showed that only a few server contained the majority of the infections (this is called a long tail distribution).

Servers were quickly disabled. It was honestly one of the faster responses I’ve seen from a service provider. So far over 100 servers have been disabled by the abuse team at Krypt! The attacks don’t seem to have subsided but they are clearly winning the war right now. During a follow up email I ran the infection numbers on their AS again and noticed that 5,000 infections had suddenly appeared on another IP address. That server is also getting shut down. All told I’m really happy with the response time and understanding from the abuse team at Krypt. I wish more providers would react as quickly as they did. One interesting detail about the urls we noticed was that a number of them resolved to IP addresses at Krypt and at Softlayer. Softlayer is also under an immense attack. I think there is something more to this and I’ll continue investigating this week.