Massive botnet returns from the dead, starts spamming
Criminals regain control after security firm stops preemptively registering routing domains
Computerworld - A big spam-spewing botnet shut down two weeks ago has been resurrected, security researchers said today, and is again under the control of criminals.
The "Srizbi" botnet returned from the dead late Tuesday, said Fengmin Gong, chief security content officer at FireEye Inc., when the infected PCs were able to successfully reconnect with new command-and-control servers, which are now based in Estonia.
Srizbi was knocked out more than two weeks ago when McColo Corp., a hosting company that had been accused of harboring a wide range of criminal activities, was yanked off the Internet by its upstream service providers. With McColo down, PCs infected with Srizbi and other bot Trojan horses were unable to communicate with their command servers, which had been hosted by McColo. As a result, spam levels dropped precipitously.
But as other researchers noted last week, Srizbi had a fallback strategy. In the end, that strategy paid off for the criminals who control the botnet.
According to Gong, when Srizbi bots were unable to connect with the command-and-control servers hosted by McColo, they tried to connect with new servers via domains that were generated on the fly by an internal algorithm. FireEye reverse-engineered Srizbi, rooted out that algorithm and used it to predict, then preemptively register, several hundred of the possible routing domains.
The domain names, said Gong, were generated on a three-day cycle, and for a while, FireEye was able to keep up -- and effectively block Srizbi's handlers from regaining control.
"We have registered a couple hundred domains," Gong said, "but we made the decision that we cannot afford to spend so much money to keep registering so many [domain] names."
Once FireEye stopped preempting Srizbi's makers, the latter swooped in and registered the five domains in the next cycle. Those domains, in turn, pointed Srizbi bots to the new command-and-control servers, which then immediately updated the infected machines to a new version of the malware.
"Once each bot was updated, the next command was to send spam," said Gong, who noted that the first campaign used a template targeting Russian speakers.
The updated Srizbi includes hard-coded references to the Estonian command-and-control servers, but Gong was unaware of any current attempt to convince the firm now hosting those servers to yank them off the Web.
In the meantime, FireEye is working with several other companies -- including VeriSign Inc., Microsoft Corp. and Network Solutions Inc., a domain registrar -- on ways to reach the more than 100,000 users whose PCs FireEye has identified as infected with Srizbi.
Discussions about how to best handle any future McColo-Srizbi situation are also ongoing, Gong said. "We're trying to find a solution, and talking about ideas of how they can help fund efforts for some period of time to [preemptively] register domains," he said.
- Massive botnet returns from the dead, starts spamming
- Spam levels fluctuate as crooks try to revive botnets
- Spam is silenced, but where are the feds?
- Dodgy ISP McColo briefly comes online, updates botnet
- McColo shutdown forces botnets to relocate
- Hosting firm takedown bags 500,000 bots
- Spam plummets after Calif. hosting service shuttered
- McColo takedown: Internet vigilantism or online Neighborhood Watch?
- IT Blogwatch: McColo is McShut McDown
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Applications Case Study: 8 Billion Transactions a Day The story documents how the online brokerage company tradeMONSTER created a custom mobile app and the success gleaned from this initiative. Also covered...
- Who's afraid of the big (data) bad wolf? Survive the big data storm by getting ahead of integration and governance functional requirements This paper provides a detailed review of the best practices clients should consider before embarking on their big data integration projects.
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Cybercrime and Hacking White Papers | Webcasts