Product Guides- Microsoft research projects to improve our lives
- Outlook '09
- IBM employees buzzing about layoff rumors
- AT&T builds $23M IPv6 network for U.S. military
- Is VoIP dead?
The shutdown last week of a U.S.-based Web hosting company crippled more than 500,000 bots, or compromised computers, which no longer are able to receive commands from criminals, a security researcher said Tuesday.
Although the infected PCs are still operational, the previously-planted malware that tells them what to do cannot receive instructions because of the shutdown last week of McColo.
"Half a million bots are either offline or not communicating" with their command-and-control servers, estimated Joe Stewart , director of malware research at SecureWorks Inc.
Hosting firm shutdown forces botnets to relocate
The California firm was disconnected from the Internet by its upstream service providers at the urging of researchers who believed the company's servers hosted a staggering amount of cybercriminal activity, including the command-and-control servers of some of the planet's biggest botnets. Those collections of infected PCs were responsible for as much as 75% of the spam sent worldwide; when McColo went dark, spam volumes dropped by more than 40% in a matter of hours.
The McColo takedown resulted in a record number of bots being severed from their hacker controllers by any single event, Stewart said. He compared it to last September, when Microsoft 's anti-malware utility, the Malicious Software Removal Tool (MSRT), purged nearly 300,000 infected PCs of the infamous Storm Trojan.
"That had a good impact, but it didn't stop the flow of spam globally," Stewart said of the MSRT takedown. "It didn't make a difference to other botnets that were still spamming away."
Knocking McColo offline, on the other hand, disrupted at least two major botnets -- "Rustock" and "Srizbi" -- said Stewart, and caused spam to plummet around the globe.
Stewart, a leading authority on botnets, estimated the strength of the top 11 botnets last April. Srizbi, at 315,000 bots, was No. 1 in his census, while Rustock, at 150,000, was in the No. 3 spot.
Rustock's handlers, said Stewart, may never recover control of their bots. "It does look like they're lost to them," he said, noting that those bots lack a failsafe for reconnecting with a command-and-control server if it does dark, as happened when McColo's plug was pulled.
But while Rustock's bots may be orphaned, there's a chance the Srizbi's bots can be brought back under control. "When Srizbi bots can't connect, as a backup they're coded to try other domain names," to search for new command-and-control servers, said Stewart. Those domains, however, were recently registered, perhaps pre-emptively by a security researcher who had rooted through the Srizbi code.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2009 Network World, Inc. All rights reserved. |
Comments (3)
Follow the moneyBy Anonymous on November 19, 2008, 11:11 pmIt would be nice if the money trail were followed to see who profited from bot nets and shut down those operations as well. Fake drugs and fake watches would be...
Reply | Read entire comment
bot-neck (chop-chop)By Anonymous on November 19, 2008, 9:41 pmWhy not send these idiots (the bot-netters)to Turkey and allow the Turks to cut off their "you-know-whats"?
Reply | Read entire comment
PwndBy Anonymous on November 19, 2008, 1:37 pmPwnd
Reply | Read entire comment
View all comments