Re: ISP Operators AISURU/Kimwolf botnet

[William Herrin via NANOG <nanog () lists nanog org>]

On Fri, Jan 16, 2026 at 5:31 AM Corey Smith via NANOG
<nanog () lists nanog org> wrote:
> I would appreciate if any ISP Operators could help some of the smaller ISP
> like us in stopping the traffic from these new Malware infected customers
> that have devices with Aisiura/Kimwolf botnet,

I don't know anything about the AISURU/Kimwolf botnet, but back in the
day I'd point my default route at an IDS where I could monitor and log
port scans sent from customers to unrouted IP address space. This
worked because it was adjacent to a router with a full BGP table.

This told me which customers had malware, and when contacted it let me
say, "We recorded at least X hundred thousand unlawful network packets
from your computers between date and date. If you're willing to turn
things off one by one, we can help you identify which of your devices
is at fault, but if you're unable to repair it yourself you'll have to
seek assistance from a repair shop."

And if it's equipment I sent the customers, I'd figure that out pretty
quickly because it would have hit most of the customers I sent that
equipment to.

Regards,
Bill Herrin

-- 
For hire. https://bill.herrin.us/resume/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/6QXGVOHXDPYTBSSNHJPJHU2QOHEPRYLP/