Estonian ISP cuts off control servers for Srizbi botnet
The botnet is thought to be responsible for much of the world's spam
IDG News Service - An Estonian Internet service provider that temporarily hosted the command-and-control servers for the Srizbi botnet, which is responsible for a large portion of the world's spam, has cut off those servers, according to computer security analysts.
Starline Web Services, based in Estonia's capital Tallinn, had hosted four domain names identified as the control points for Srizbi, according to researchers at computer security firm FireEye Inc.
Hundreds of thousands of PCs around the world were infected with Srizbi, a difficult-to-remove rootkit that is used for sending spam. They were programmed to seek new instructions from servers in those domains.
Srizbi is considered one of the more powerful botnets, with at least 450,000 PCs infected. It is estimated that half of the world's spam originated from computers infected with Srizbi. Spam remains a profitable business for cybercriminals.
But spammers lost control of Srizbi when the ISP that previously hosted its command-and-control servers was cut off from the Internet. McColo Corp., whose servers are based in San Jose, was cut off by its upstream providers earlier this month after being exposed by computer security experts and The Washington Post.
That left spammers unable to control Srizbi-infected computers. But Srizbi's code contained a fallback mechanism in which spammers could reconnect with the stranded machines if such a scenario occurred.
An algorithm within Srizbi would periodically generate new domain names where the malware could look for new instructions if those domains were live on the Internet. Armed with that same algorithm, the spammers had only to register the appropriate domain names and point them to their servers.
The spammers, however, needed a new ISP to host those servers, at least for a while. They found Starline Web Services, a very small ISP, but that provider has since also cut them off.
"I was satisfied that those sites were closed down," said Hillar Aarelaid, chief security officer at Estonia's Computer Emergency Response Team (CERT), on Thursday.
Attempts to contact Starline Web Services were unsuccessful. But Aarelaid said CERT has been in contact with the company, and it does appear to be responsive to complaints about abuse.
Starline Web Services buys its connectivity from Compic, another Estonian company. Compic has been flagged by Estonia's CERT as having Web sites hosting malicious software, said Tarmo Randel, an information security expert at the organization.
Randel said CERT has "constantly" notified Compic about malware they've hosted. Compic will take action to remove the sites depending "on how loud we scream," Randel said. Compic usually reacts fast when CERT sends a complaint e-mail -- and copies the Estonian Criminal Police on its responses, Randel said.
- Massive botnet returns from the dead, starts spamming
- Spam levels fluctuate as crooks try to revive botnets
- Spam is silenced, but where are the feds?
- Dodgy ISP McColo briefly comes online, updates botnet
- McColo shutdown forces botnets to relocate
- Hosting firm takedown bags 500,000 bots
- Spam plummets after Calif. hosting service shuttered
- McColo takedown: Internet vigilantism or online Neighborhood Watch?
- IT Blogwatch: McColo is McShut McDown
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts