Product Guides- Microsoft research projects to improve our lives
- Outlook '09
- IBM employees buzzing about layoff rumors
- AT&T builds $23M IPv6 network for U.S. military
- Is VoIP dead?
A big spam-spewing botnet shut down two weeks ago has been resurrected, security researchers said Wednesday, and is again under the control of criminals.
The "Srizbi" botnet returned from the dead late Tuesday, said Fengmin Gong, the chief security content officer at FireEye, when the infected PCs were able to successfully reconnect with new command-and-control servers, which are now based in Estonia.
Watch a slideshow of spammers in the slammer.
Srizbi was knocked out more than two weeks ago when McColo Corp. , a hosting company that had been accused of harboring a wide range of criminal activities, was yanked off the Internet by its upstream service providers. With McColo down, PCs infected with Srizbi and other bot Trojans were unable to communicate with their command servers, which had been hosted by McColo. As a result, spam levels dropped precipitously .
But as other researchers noted last week, Srizbi had a fall-back strategy. In the end, that strategy paid off for the criminals who control the botnet.
According to Gong, when Srizbi bots were unable to connect with the command-and-control servers hosted by McColo, they tried to connect with new servers via domains that were generated on the fly by an internal algorithm. FireEye reverse-engineered Srizbi, rooted out that algorithm, and used it to predict, then preemptively register, several hundred of the possible routing domains.
The domain names, said Gong, were generated on a three-day cycle, and for a while, FireEye was able to keep up -- and effectively block Srizbi's handlers from regaining control.
"We have registered a couple hundred domains," Gong said, "but we made the decision that we cannot afford to spend so much money to keep registering so many [domain] names."
Once FireEye stopped preempting Srizbi's makers, the latter swooped in and registered the five domains in the next cycle. Those domains, in turn, pointed Srizbi bots to the new command-and-control servers, which then immediately updated the infected machines to a new version of the malware.
"Once each bot was updated, the next command was to send spam," said Gong, who noted that the first campaign used a template targeting Russian speakers.
The updated Srizbi includes hard-coded references to the Estonian command-and-control servers, but Gong was unaware of any current attempt to convince the firm now hosting those servers to yank them off the Web.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2009 Network World, Inc. All rights reserved. |
Comments (1)
I call the movie rights to this story...By Anonymous on November 28, 2008, 1:37 pmI call the movie rights to this story. Sounds like an epic hacker battle.
Reply | Read entire comment
View all comments