Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

[ Create a new account ]

Massive Botnet Returns From the Dead To Spam On

Posted by timothy on Wed Nov 26, 2008 03:07 PM
from the late-entry-for-hallowe'en dept.
Spam Security The Internet
CWmike writes "Gregg Keizer reports that the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals, security researchers said today. As of late Tuesday, infected PCs were able to successfully reconnect with new command-and-control servers, which are now based in Estonia, said Fengmin Gong, chief security content officer at FireEye. The comeback confirms what researchers noted last week, that Srizbi had a fallback strategy. So, in the end, that strategy paid off for the criminals who control the botnet."
internet security spam botnet braiiins
it spam
story

Related Stories

[+] McColo Briefly Returns, Hands Off Botnet Control 242 comments
A week ago we discussed the takedown of McColo (and the morality of that action). McColo was reportedly the source of anywhere from 50% to 75% of the world's spam. On Saturday the malware network briefly returned to life in order to hand over command and control channels to a Russian network. "The rogue network provider regained connectivity for about 12 hours on Saturday by making use of a backup arrangement it had with Swedish internet service provider TeliaSonera. During that time, McColo was observed pushing as much as 15MB of data per second to servers located in Russia, according to ... Trend Micro. The brief resurrection allowed miscreants who rely on McColo to update a portion of the massive botnets they use to push spam and malware. Researchers from FireEye saw PCs infected by the Rustock botnet being updated so they'd report to a new server located at abilena.podolsk-mo.ru for instructions. That means the sharp drop in spam levels reported immediately after McColo's demise isn't likely to last."
Firehose:Massive Botnet Returns From The Dead To Spam On by CWmike (1292728)
[+] Estonian ISP Shuts Srizbi Back Down, For Now 237 comments
wiedzmin writes "In response to the recent resurrection of the Srizbi botnet, an Estonian ISP has shut down the hosting company that was housing its new control servers. Starline Web Services, based in Estonia's capital Tallinn, had become the new home for the Srizbi botnet control center after the McColo hosting company (which was taken down earlier this month) has briefly come back to life last week, allowing the botnet to hand-off control to the Estonian network. After Estonia's biggest ISP Linxtelecom demanded that Starline Web Service be taken offline, the newly acquired Srizbi control servers went down with it. However, as the rootkit is armed with an algorithm that periodically generates new domain names where the malware then looks for new instructions, it is only a matter of time before a new set of control servers is created and used to manipulate one of the biggest spam botnets in the world."
[+] Tigger.A Trojan Quietly Steals Stock Traders' Data 201 comments
**$tarDu$t** recommends a Washington Post Security Fix blog post dissecting the Tigger.A trojan, which has been keeping a low profile while exploiting the MS08-66 vulnerability to steal data quietly from online stock brokerages and their customers. An estimated quarter million victims have been infected. The trojan uses a key code to extract its rootkit on host systems that is almost identical to the key used by the Srizbi botnet. The rootkit loads even in Safe Mode. "Among the unusually short list of institutions specifically targeted by Tigger are E-Trade, ING Direct ShareBuilder, Vanguard, Options XPress, TD Ameritrade, and Scottrade. ... Tigger removes a long list of other malicious software titles, including the malware most commonly associated with Antivirus 2009 and other rogue security software titles ... this is most likely done because the in-your-face 'hey, your-computer-is-infected-go-buy-our-software!' type alerts generated by such programs just might ... lead to all invaders getting booted from the host PC."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Massive Botnet Returns From the Dead To Spam On 25 Comments More | Login /

 Full
 Abbreviated
 Hidden
More | Login
Loading... please wait.

  • Zombies!!!!! (Score:5, Funny)

    by syousef (465911) on Wednesday November 26, @03:12PM (#25902667)

    Argh! Zombies!!!!! They're bound to be after brains! Well they'll find none here! Take that you evil zombies.

  • Further Proof (Score:5, Insightful)

    by MaxwellEdison (1368785) on Wednesday November 26, @03:13PM (#25902677)
    Further proof that crime doesn't pay. Unless you have a reliable business plan, of course.

    • Re:Further Proof (Score:5, Funny)

      by Lobster Quadrille (965591) on Wednesday November 26, @03:55PM (#25903099)

      It's nice to see that somebody's IT department has the funding and expertise to implement a backup plan.

      It gives me hope.

      • Re:Further Proof (Score:5, Insightful)

        by damn_registrars (1103043) on Wednesday November 26, @03:43PM (#25903009) Journal

        the alg it uses to get domain names

        Why would botnet harvesting be done by domain name anyways? Wouldn't it be easier to collect systems by just running through accessible IP addresses?

        And if the botnets are doing double duty by both propagating spam and attempting to hack into systems via ssh, I can tell you from my IP logs at home that most systems in the botnets aren't behind any particular domains.

        On top of that, how many languages would you want to sell antivirus software in?

      • Re:Further Proof (Score:5, Insightful)

        by julian67 (1022593) on Wednesday November 26, @04:28PM (#25903459)
        Actually there isn't money to be made this way because all those unhappy customers demanding refunds will be expensive. The idea that you can clean an infected Windows PC by installing product A or B or C is mistaken. The whole idea that security is a boxed product or is available by clicking an .exe/.msi installer is bogus. Assuming that the malware on these infected computers is even known to the AV companies (and that's no longer a reasonable assumption in most cases) then the only way to actually remove it effectively is by running the AV tools from read only media, i.e. a live CD. Well designed malware will simply disallow the installation/use/updating of common AV software. The malware authors are streets ahead of the "security" vendors. The AV products installed on a clean machine can't even prevent many of these problems let alone cure them. Most Windows users would be better advised to save their pennies and re-install from original media, always be patched and up to date (applications as well as OS), run as unprivileged user with strong passwords on all accounts and browse only with Firefox + privoxy + noscript + adblock. That isn't perfect but it's zero financial cost and way more effective than anything Symantec, McAfee etc can offer. Unfortunately running Windows with an unprivileged account is as convenient as toothache.

  • Going back in time ... (Score:5, Interesting)

    by Anonymous Coward on Wednesday November 26, @03:16PM (#25902707)

    "the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals"

    I'd love to go back in the '50s, find one of those future drawing artists, show him that head news, and ask him to draw what he think that means in the year 2008.

    Hilarity ensue.

  • They stopped them once. (Score:5, Insightful)

    by Finallyjoined!!! (1158431) on Wednesday November 26, @03:16PM (#25902709)
    Now do it again. Rinse, repeat, until there's nowhere left for them to host the "command and control" servers.

    The sooner the better. My good:spam ratio is almost 5:95 at the moment :-(

  • What intriques me... (Score:5, Insightful)

    by powerslave12r (1389937) on Wednesday November 26, @03:18PM (#25902727)
    ..most is how efficiently the bad guys always work. Its just astounding.

    • Re:What intriques me... (Score:5, Funny)

      by Yvan256 (722131) on Wednesday November 26, @03:26PM (#25902799) Homepage Journal

      Well of course. With no worker unions, government bureaucracy or international laws to get in the way, they have it easier than your average law-abiding citizens and companies.

      • Not really. (Score:5, Informative)

        by khasim (1285) <brandioch.conner@gmail.com> on Wednesday November 26, @03:35PM (#25902915)

        They also have to deal with various groups trying to stop them. As in TFA:

        "We have registered a couple hundred domains," Gong said, "but we made the decision that we cannot afford to spend so much money to keep registering so many [domain] names."

        So the spammers had to have thought about and planned for such a contingency.

        And still bring in enough money to pay for the connections they'll be using to control the zombies.

        The updated Srizbi includes hard-coded references to the Estonian command-and-control servers, but Gong was unaware of any current attempt to convince the firm now hosting those servers to yank them off the Web.

        So while attempting to register the domain names, work was going on to update the zombie software.

        The question now is how to get those hard-coded references to the various ISP's in the world so that they can block traffic to/from them and stop the zombies from updating again.

        Why isn't information such as that ever included in these articles?

    • Re:What intriques me... (Score:5, Insightful)

      by Marc Desrochers (606563) on Wednesday November 26, @03:31PM (#25902877)
      No red tape, no bureaucratic processes, no politics, no concern about being polite and correct about everything. Also, no customer support. It's a wonder what you can accomplish by not giving a shit who you inconvenience. Just get the job done well enough that it works.

  • Thats strange... (Score:5, Funny)

    by pillowcase1 (878575) on Wednesday November 26, @03:18PM (#25902729) Homepage
    I know it's off topic, but my machine was running great for a couple weeks... now its all slow again.

  • We don't need no stinking backups... (Score:5, Insightful)

    by Anonymous Monkey (795756) on Wednesday November 26, @03:19PM (#25902737)
    I have worked in more than a few offices that have no backup plans for when things go wrong; power outs, network outages, supply chain disruptions, and the like would stop work cold. I find it amusing that a band of criminals are running a more flexible and 'professional' operation than many ligament businesses.

  • A McColo with Fries (Score:5, Funny)

    by INeededALogin (771371) on Wednesday November 26, @03:28PM (#25902827) Journal
    ... and a Coke

  • Some Idiots (Score:5, Insightful)

    by Nom du Keyboard (633989) on Wednesday November 26, @03:28PM (#25902849)
    Is this because some idiot(s) let McColo get back online for a number of hours, or was that fallback already in place before the McColo initial shut down? These major ISP backbone providers reall need to be talking to each other when they blacklist a site so that one rogue provider doesn't undermine the good efforts of all the rest.

  • OK now... (Score:5, Insightful)

    by damn_registrars (1103043) on Wednesday November 26, @03:30PM (#25902857) Journal
    Anyone who is surprised by this, raise your hand. If someone was able to write the requisite application to gather the botnet, one would expect the same programmer to have the foresight to write in a way to re-gather and restart the botnet at a later point in time.

      • Re:They missed the chance (Score:5, Informative)

        by LackThereof (916566) on Wednesday November 26, @08:18PM (#25905327)

        Srizbi will, in fact, accept an uninstall command from a bogus C&C server.

        Lots of stuff about Srizbi [fireeye.com]

        In the course of invesigating Srizbi, researchers had 250,000 bots under their control for a span of a few days. Sending the uninstall command was one of several ways they could have crippled this small portion of Srizbi. But honestly, no citizen has the legal authority to make changes to hundreds of thousands of other people's PCs. Maybe if some law enforcement agencies would get involved, that would be nice. Or at least give blanket immunity to researchers who would do so.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.