Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Massive Botnet Returns From the Dead To Spam On

Posted by timothy on Wed Nov 26, 2008 03:07 PM
from the late-entry-for-hallowe'en dept.
Spam Security The Internet
CWmike writes "Gregg Keizer reports that the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals, security researchers said today. As of late Tuesday, infected PCs were able to successfully reconnect with new command-and-control servers, which are now based in Estonia, said Fengmin Gong, chief security content officer at FireEye. The comeback confirms what researchers noted last week, that Srizbi had a fallback strategy. So, in the end, that strategy paid off for the criminals who control the botnet."
+ -
story

Related Stories

[+] McColo Briefly Returns, Hands Off Botnet Control 242 comments
A week ago we discussed the takedown of McColo (and the morality of that action). McColo was reportedly the source of anywhere from 50% to 75% of the world's spam. On Saturday the malware network briefly returned to life in order to hand over command and control channels to a Russian network. "The rogue network provider regained connectivity for about 12 hours on Saturday by making use of a backup arrangement it had with Swedish internet service provider TeliaSonera. During that time, McColo was observed pushing as much as 15MB of data per second to servers located in Russia, according to ... Trend Micro. The brief resurrection allowed miscreants who rely on McColo to update a portion of the massive botnets they use to push spam and malware. Researchers from FireEye saw PCs infected by the Rustock botnet being updated so they'd report to a new server located at abilena.podolsk-mo.ru for instructions. That means the sharp drop in spam levels reported immediately after McColo's demise isn't likely to last."
Submission: Massive Botnet Returns From The Dead To Spam On by CWmike (1292728)
[+] Estonian ISP Shuts Srizbi Back Down, For Now 237 comments
wiedzmin writes "In response to the recent resurrection of the Srizbi botnet, an Estonian ISP has shut down the hosting company that was housing its new control servers. Starline Web Services, based in Estonia's capital Tallinn, had become the new home for the Srizbi botnet control center after the McColo hosting company (which was taken down earlier this month) has briefly come back to life last week, allowing the botnet to hand-off control to the Estonian network. After Estonia's biggest ISP Linxtelecom demanded that Starline Web Service be taken offline, the newly acquired Srizbi control servers went down with it. However, as the rootkit is armed with an algorithm that periodically generates new domain names where the malware then looks for new instructions, it is only a matter of time before a new set of control servers is created and used to manipulate one of the biggest spam botnets in the world."
[+] Tigger.A Trojan Quietly Steals Stock Traders' Data 212 comments
**$tarDu$t** recommends a Washington Post Security Fix blog post dissecting the Tigger.A trojan, which has been keeping a low profile while exploiting the MS08-66 vulnerability to steal data quietly from online stock brokerages and their customers. An estimated quarter million victims have been infected. The trojan uses a key code to extract its rootkit on host systems that is almost identical to the key used by the Srizbi botnet. The rootkit loads even in Safe Mode. "Among the unusually short list of institutions specifically targeted by Tigger are E-Trade, ING Direct ShareBuilder, Vanguard, Options XPress, TD Ameritrade, and Scottrade. ... Tigger removes a long list of other malicious software titles, including the malware most commonly associated with Antivirus 2009 and other rogue security software titles ... this is most likely done because the in-your-face 'hey, your-computer-is-infected-go-buy-our-software!' type alerts generated by such programs just might ... lead to all invaders getting booted from the host PC."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Massive Botnet Returns From the Dead To Spam On 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Zombies!!!!! (Score:5, Funny)

    by syousef (465911) on Wednesday November 26 2008, @03:12PM (#25902667) Journal

    Argh! Zombies!!!!! They're bound to be after brains! Well they'll find none here! Take that you evil zombies.

        • You see, Linux is the fix for the random crashing!

          Which part of "random crashing" is alleviated by Linux? The "random" or the "crashing"?

  • Further Proof (Score:5, Insightful)

    by MaxwellEdison (1368785) on Wednesday November 26 2008, @03:13PM (#25902677)
    Further proof that crime doesn't pay. Unless you have a reliable business plan, of course.

    • Re:Further Proof (Score:5, Funny)

      by Lobster Quadrille (965591) on Wednesday November 26 2008, @03:55PM (#25903099)

      It's nice to see that somebody's IT department has the funding and expertise to implement a backup plan.

      It gives me hope.

      • Re:Further Proof (Score:5, Insightful)

        by damn_registrars (1103043) on Wednesday November 26 2008, @03:43PM (#25903009) Journal

        the alg it uses to get domain names

        Why would botnet harvesting be done by domain name anyways? Wouldn't it be easier to collect systems by just running through accessible IP addresses?

        And if the botnets are doing double duty by both propagating spam and attempting to hack into systems via ssh, I can tell you from my IP logs at home that most systems in the botnets aren't behind any particular domains.

        On top of that, how many languages would you want to sell antivirus software in?

        • Re: (Score:3, Interesting)

          by LackThereof (916566)

          You misunderstand.

          Srizbi has an algorithm to generate a pseudo-random domain name from the current date, and looks to that domain for command & control instructions.

          The author of the bot has the same algorithm, and can calculate the domain names days and weeks out. Thus, if their c&c server is knocked off the internet, the bot herder just has to register a few domain names that Srizbi will be looking to in the near future.

          This has nothing to do with the domain names of the bots themselves, or of the

      • Re:Further Proof (Score:5, Insightful)

        by julian67 (1022593) on Wednesday November 26 2008, @04:28PM (#25903459)
        Actually there isn't money to be made this way because all those unhappy customers demanding refunds will be expensive. The idea that you can clean an infected Windows PC by installing product A or B or C is mistaken. The whole idea that security is a boxed product or is available by clicking an .exe/.msi installer is bogus. Assuming that the malware on these infected computers is even known to the AV companies (and that's no longer a reasonable assumption in most cases) then the only way to actually remove it effectively is by running the AV tools from read only media, i.e. a live CD. Well designed malware will simply disallow the installation/use/updating of common AV software. The malware authors are streets ahead of the "security" vendors. The AV products installed on a clean machine can't even prevent many of these problems let alone cure them. Most Windows users would be better advised to save their pennies and re-install from original media, always be patched and up to date (applications as well as OS), run as unprivileged user with strong passwords on all accounts and browse only with Firefox + privoxy + noscript + adblock. That isn't perfect but it's zero financial cost and way more effective than anything Symantec, McAfee etc can offer. Unfortunately running Windows with an unprivileged account is as convenient as toothache.

        • Re:Further Proof (Score:5, Informative)

          by jargon82 (996613) on Wednesday November 26 2008, @04:36PM (#25903553) Homepage
          I've been running my windows XP laptop as non-admin for over 2 years. It's not as bad as you say. Two things keep me going. Superior SU, found here: http://www.stefan-kuhr.de/supsu/main.php3 [stefan-kuhr.de] and make me admin, found here: http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx [msdn.com]. Between the two, running non-admin is quite comfortable with a bit of practice.

          • Re:Further Proof (Score:5, Informative)

            by blhack (921171) on Wednesday November 26 2008, @06:10PM (#25904475)

            A little windows trickery:

            Right click on internet explorer and click "Run As" run it as admin.
            type C:\ into the address bar. Navigate to whatever folder the programs you want to run are in and run them. Anything that spawns from here will be running as admin.

          • Re: (Score:3, Interesting)

            by julian67 (1022593)
            There's a lot more to it than launching applications. Even then it's unsatisfactory in many ways. It's extremely inconvenient to have to run an application as admin and have all the output non-executable and non-writable for other users...one more crappy task to fix all the permissions after every run. Anyway there are many applications which simply don't work with run as. The previous poster who linked to Super SU was nearer the mark. Windows user model works fine for users with no local admin rights wo

            • Worth mentioning, sudo is essentially UAC, only somewhat less annoying. But it's still a broken model.

              One thing a lot of Unix daemons get right is, one user per task. Basic, stupidly simple security model -- nothing should have more access than it needs to do its job. Server systems still handle this reasonably well -- small things as root, only where needed. Take Apache -- it's root mostly just to bind port 80; everything else is www-data.

              Things like this completely go away with modern desktops. The only t

  • Going back in time ... (Score:5, Interesting)

    by Anonymous Coward on Wednesday November 26 2008, @03:16PM (#25902707)

    "the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals"

    I'd love to go back in the '50s, find one of those future drawing artists, show him that head news, and ask him to draw what he think that means in the year 2008.

    Hilarity ensue.

  • They stopped them once. (Score:5, Insightful)

    by Finallyjoined!!! (1158431) on Wednesday November 26 2008, @03:16PM (#25902709)
    Now do it again. Rinse, repeat, until there's nowhere left for them to host the "command and control" servers.

    The sooner the better. My good:spam ratio is almost 5:95 at the moment :-(

  • What intriques me... (Score:5, Insightful)

    by powerslave12r (1389937) on Wednesday November 26 2008, @03:18PM (#25902727)
    ..most is how efficiently the bad guys always work. Its just astounding.

    • Re:What intriques me... (Score:5, Funny)

      by Yvan256 (722131) on Wednesday November 26 2008, @03:26PM (#25902799) Homepage Journal

      Well of course. With no worker unions, government bureaucracy or international laws to get in the way, they have it easier than your average law-abiding citizens and companies.

      • Not really. (Score:5, Informative)

        by khasim (1285) <brandioch.conner@gmail.com> on Wednesday November 26 2008, @03:35PM (#25902915)

        They also have to deal with various groups trying to stop them. As in TFA:

        "We have registered a couple hundred domains," Gong said, "but we made the decision that we cannot afford to spend so much money to keep registering so many [domain] names."

        So the spammers had to have thought about and planned for such a contingency.

        And still bring in enough money to pay for the connections they'll be using to control the zombies.

        The updated Srizbi includes hard-coded references to the Estonian command-and-control servers, but Gong was unaware of any current attempt to convince the firm now hosting those servers to yank them off the Web.

        So while attempting to register the domain names, work was going on to update the zombie software.

        The question now is how to get those hard-coded references to the various ISP's in the world so that they can block traffic to/from them and stop the zombies from updating again.

        Why isn't information such as that ever included in these articles?

          • Re: (Score:3, Interesting)

            by Rich0 (548339)

            Yeah, but do you really need to block the whole country?

            The bots obviously need to find their home. Most likely this is via either a hard-coded IP, or a DNS lookup. So, just publish whichever one it is and then everybody can blackhole either the DNS entry or the IP address. If the major ISPs do that the bot dies.

            Now, if the bot uses IRC or something like that it could get trickier, since blocking that at the protocol level (short of killing an entire irc network) isn't possible. However, the irc network

    • Re:What intriques me... (Score:5, Insightful)

      by Marc Desrochers (606563) on Wednesday November 26 2008, @03:31PM (#25902877)
      No red tape, no bureaucratic processes, no politics, no concern about being polite and correct about everything. Also, no customer support. It's a wonder what you can accomplish by not giving a shit who you inconvenience. Just get the job done well enough that it works.

      • Re: (Score:3, Insightful)

        by owlnation (858981)

        Also, no customer support. It's a wonder what you can accomplish by not giving a shit who you inconvenience. Just get the job done well enough that it works.

        You mean, "by not even trying to appear as though you give a shit about who you inconvenience".

        If you've tried to contact Customer Support of any corporation (especially any outsourced CS) you know that that company really only pays lip service to the concept. Most corporations only provide just enough CS to be able to show that (massaged) stats re

  • Thats strange... (Score:5, Funny)

    by pillowcase1 (878575) on Wednesday November 26 2008, @03:18PM (#25902729) Homepage
    I know it's off topic, but my machine was running great for a couple weeks... now its all slow again.

  • We don't need no stinking backups... (Score:5, Insightful)

    by Anonymous Monkey (795756) on Wednesday November 26 2008, @03:19PM (#25902737)
    I have worked in more than a few offices that have no backup plans for when things go wrong; power outs, network outages, supply chain disruptions, and the like would stop work cold. I find it amusing that a band of criminals are running a more flexible and 'professional' operation than many ligament businesses.

  • A McColo with Fries (Score:5, Funny)

    by INeededALogin (771371) on Wednesday November 26 2008, @03:28PM (#25902827) Journal
    ... and a Coke

  • Some Idiots (Score:5, Insightful)

    by Nom du Keyboard (633989) on Wednesday November 26 2008, @03:28PM (#25902849)
    Is this because some idiot(s) let McColo get back online for a number of hours, or was that fallback already in place before the McColo initial shut down? These major ISP backbone providers reall need to be talking to each other when they blacklist a site so that one rogue provider doesn't undermine the good efforts of all the rest.

    • Re:Some Idiots (Score:4, Informative)

      by Detritus (11846) on Wednesday November 26 2008, @03:36PM (#25902919) Homepage
      This was because they good guys stopped registering the dynamically generated domain names used by the botnet, allowing the bad guys to register some domain names and regain control.

    • Re:Some Idiots (Score:4, Insightful)

      by damn_registrars (1103043) on Wednesday November 26 2008, @03:38PM (#25902941) Journal

      Is this because some idiot(s) let McColo get back online for a number of hours, or was that fallback already in place before the McColo initial shut down?

      I would be inclined to believe it to be more of the latter than the former. Why wouldn't the authors of the botnet software want to write something in to allow for the creation of a new botnet control system? These guys aren't idiots, as much as we might like to wish they were. They know that it takes time to amass a botnet, so I would expect they included some way to bring back the botnet, should they get caught somewhere.

      need to be talking to each other when they blacklist a site

      I might be missing something here, but I rather doubt that botnet control comes down to a specific site anywhere. Didn't they just say that the botnet is now controlled from a different country than before? I'm not sure that any amount of activities from major ISP's would be able to be both tolerable to users and capable of restricting the botnets.

  • OK now... (Score:5, Insightful)

    by damn_registrars (1103043) on Wednesday November 26 2008, @03:30PM (#25902857) Journal
    Anyone who is surprised by this, raise your hand. If someone was able to write the requisite application to gather the botnet, one would expect the same programmer to have the foresight to write in a way to re-gather and restart the botnet at a later point in time.

    • Re: (Score:3, Insightful)

      by jon3k (691256)
      You mean operators of a massive botnet worth literally MILLIONS of dollars have a backup plan? SHOCKING!

      How is this surprising to anyone? Do you not understand this is a business, illegal or otherwise? Do you not think cocaine smugglers have backup plans too?

  • They missed the chance (Score:4, Insightful)

    by confused one (671304) on Wednesday November 26 2008, @03:30PM (#25902869)
    While the command and control was down, they missed the chance to take out the bots too.

      • Re:They missed the chance (Score:5, Informative)

        by LackThereof (916566) on Wednesday November 26 2008, @08:18PM (#25905327)

        Srizbi will, in fact, accept an uninstall command from a bogus C&C server.

        Lots of stuff about Srizbi [fireeye.com]

        In the course of invesigating Srizbi, researchers had 250,000 bots under their control for a span of a few days. Sending the uninstall command was one of several ways they could have crippled this small portion of Srizbi. But honestly, no citizen has the legal authority to make changes to hundreds of thousands of other people's PCs. Maybe if some law enforcement agencies would get involved, that would be nice. Or at least give blanket immunity to researchers who would do so.

  • Soft on terrorism (Score:4, Informative)

    by Animats (122034) on Wednesday November 26 2008, @03:53PM (#25903085) Homepage

    So where are the US antiterrorism people? This is an attack on US assets by foreign nationals. We have a whole Department of Homeland Security. They had a good computer security guy in charge of dealing with such attacks, Amit Yoran, and he quit in 2004 [computerworld.com], fed up because DHS didn't really want to deal with real problems. His replacement was a career lobbyist [dhs.gov]. Really. "He served as Director of 3Com Corporation's Government Relations Office in Washington, DC where he was responsible for all aspects of the company's strategic public policy formulation and advocacy." That's America's first line of defense against cyberterrorism.

    The FBI has an antiterrorism operation. What are they doing? What they say they're doing is working to "strengthen and support our top operational priorities: counterterrorism, counterintelligence, cyber, and major criminal programs." [fbi.gov] What they're actually doing is flying around the FBI director in the private jet purchased with antiterrorism funds. [wordpress.com]

    FBI testimony before Congress, 2001 [fbi.gov]: "The FBI believes cyber-terrorism, the use of cyber-tools to shut down, degrade, or deny critical national infrastructures, such as energy, transportation, communications, or government services, for the purpose of coercing or intimidating a government or civilian population, is clearly an emerging threat for which its must develop prevention, deterrence, and response capabilities."

    FBI testimony before Congress, 2004 [fbi.gov]: " In the event of a cyberterrorist attack, the FBI will conduct an intense post-incident investigation to determine the source including the motive and purpose of the attack."

    So where's the action?

    Heads need to roll at DHS and the FBI.

      • Re: (Score:3, Interesting)

        by Animats (122034)
        You are receiving spam not nuclear weapons, you idiot. It's not terrorism.

        Tens of millions of American computers are under the direct control of hostile foreign interests. At any moment, they can be ordered to do anything by those interests, including erasing files, sending financial information, or attacking infrastructure sites. That's a much bigger threat than some guys mouthing off in a bar in Miami about blowing up some building [cnn.com], which got the FBI's full attention.

  • (H|Cr)ack attack (Score:4, Interesting)

    by Thaelon (250687) on Wednesday November 26 2008, @04:19PM (#25903353)

    What I wonder is, why don't some of those white/grey/black hat hackers out there don't try to hijack the botnets, spammers, or the control servers of the spammers and shut that shit down. I'm sure it would be challenging and billions would approve.

    The way I see it, spam is a distributed problem that ignores virtually any boundary you can think of, so the solution must be equally pervasive and distributed. Such as an equally (dis)organized group of spammer-attackers. Sure some innocents will probably get nailed, but ain't war hell?

  • Money was involved... (Score:3, Informative)

    by The Master Control P (655590) <ejkeever@noSPaM.nerdshack.com> on Wednesday November 26 2008, @04:20PM (#25903367) Homepage
    There is no possible way any ISP would reconnect someone like McColo out of ignorance: TeliaSonera was bribed.
    • Are you under the impression that ISP's cannot be bribed, confused, or flat out lied to using stolen credit card information? Boy, I wish I had your ISP to tell me what singles ads are lying about.

    • Re:Money was involved... (Score:5, Informative)

      by afidel (530433) on Wednesday November 26 2008, @05:06PM (#25903835)
      More like duped, they bought the backup link through a reseller a long time ago and never activated it till Sat 11/15.

  • Update (Score:5, Informative)

    by LackThereof (916566) on Wednesday November 26 2008, @08:53PM (#25905521)

    The Estonia based Command and Control servers have been kicked offline.

    Only one server is still online, based in Frankfurt, Germany; name registered through the Cayman Islands.

    This is not the server that's hard-coded in to the new Srizbi patch, just one of the backup servers supplying it.

    source [fireeye.com]

  • In related news ... (Score:5, Funny)

    by PPH (736903) on Wednesday November 26 2008, @09:37PM (#25905747)
    ...the one remaining 4800 baud link between Estonia and the rest of the world was taken down earlier today when IT technicians took control of the phone line to order a pizza.

    • Re:Blue Frog? (Score:4, Interesting)

      by u38cg (607297) <calum@callingthetune.co.uk> on Wednesday November 26 2008, @04:55PM (#25903733) Homepage
      The trouble was any kind of central point became a massive juicy target for them, and it would be just the same for an open source project. Bluefrog IIRC ended up just drowning in a tide of DDOSing. Kinda ironic, really :)

      As far as I can see the only real solution to spam is intelligent filtering, which Google leads the way on: it's got to the point where if a spam mail gets through, I open it it up and have a good look at it to see how the heck it got through.

    • Re: (Score:3, Interesting)

      by LackThereof (916566)

      Because Srizbi has an algorithm that generates new pseudo-random domain names based on the current date. If the hard-coded C&C server ever goes down, the bot herder can calculate what domain names Srizbi will be looking to in the near future, and register them to reclaim the botnet (and push an update that changes the hard-coded server)

      Technical Details of Srizbis domain generation algorithm [fireeye.com]

    • Re: (Score:3, Interesting)

      by kvezach (1199717)
      What they should have done was this: Cut the provider's proverbial balls off. Then snap up the next ten or twenty domains. Connect them all to a server that instructs the bots that get there to uninstall themselves. I can see why they didn't, though; they could have been liable for any unintended effects (computers crashing, whatever), which is why that step should ideally have been done by some anonymous or pseudonymous party.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.