FileAve.com Botnet Activities

FileAve.com is a free file hosting with no download limits, the maximum available storage per account is 50 Mb. FileAve.com is also providing a free subdomain for each created account (ex : http://yourname.fileave.com). FileAve.com is owned and operated by Ripside Interactive, a premiere web host since 1999.

Since the start of our HoneyNet in Feb. 2009 we have directly observe that some malware scripts where located on FileAve.com and participate actively to a bonnet construction and propagation. FileAve.com as a free file and subdomain hoster is composed of actually around 80 suspicious web sites (site:fileave.com ext:txt intent:rfi).

FileAve.com server, how is hosting all the botnet scripts, has the 64.62.181.43 IP. Since Feb. 2009 to end Jun 2010, FileAve.com botnet is composed of 75 differents malware hosters, has generate 10 349 events, and 642 attackers have call the botnet files located on the hosters servers.

South Korea, US and Colombia are the countries how are the most participating to the botnet activities in term of events. Turkey, France, Thailand and China are the country how are hosting part of the botnet since more than 100 days.

March 2010 was the more active month in term of events, Jun 2010 the month with the most distinct attackers and April 2010 the month with the most detected hosters.

Since Feb. 2010 we can see that the activity of the botnet is increasing, cause of the mutation of all classic RFI scanners to multi functions scanners.

I have generate some stats and graphs, with all the associated raw datas how are available here.
Dedicace to lbhuston