CWmike writes "Gregg Keizer reports that the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals, security researchers said today. As of late Tuesday, infected PCs were able to successfully reconnect with new command-and-control servers, which are now based in Estonia, said Fengmin Gong, chief security content officer at FireEye. The comeback confirms what researchers noted last week, that Srizbi had a fallback strategy. So, in the end, that strategy paid off for the criminals who control the botnet."
Why would botnet harvesting be done by domain name anyways? Wouldn't it be easier to collect systems by just running through accessible IP addresses?
And if the botnets are doing double duty by both propagating spam and attempting to hack into systems via ssh, I can tell you from my IP logs at home that most systems in the botnets aren't behind any particular domains.
On top of that, how many languages would you want to sell antivirus software in?
Srizbi has an algorithm to generate a pseudo-random domain name from the current date, and looks to that domain for command & control instructions.
The author of the bot has the same algorithm, and can calculate the domain names days and weeks out. Thus, if their c&c server is knocked off the internet, the bot herder just has to register a few domain names that Srizbi will be looking to in the near future.
This has nothing to do with the domain names of the bots themselves, or of the
Actually there isn't money to be made this way because all those unhappy customers demanding refunds will be expensive. The idea that you can clean an infected Windows PC by installing product A or B or C is mistaken. The whole idea that security is a boxed product or is available by clicking an.exe/.msi installer is bogus. Assuming that the malware on these infected computers is even known to the AV companies (and that's no longer a reasonable assumption in most cases) then the only way to actually remove it effectively is by running the AV tools from read only media, i.e. a live CD. Well designed malware will simply disallow the installation/use/updating of common AV software. The malware authors are streets ahead of the "security" vendors. The AV products installed on a clean machine can't even prevent many of these problems let alone cure them. Most Windows users would be better advised to save their pennies and re-install from original media, always be patched and up to date (applications as well as OS), run as unprivileged user with strong passwords on all accounts and browse only with Firefox + privoxy + noscript + adblock. That isn't perfect but it's zero financial cost and way more effective than anything Symantec, McAfee etc can offer. Unfortunately running Windows with an unprivileged account is as convenient as toothache.
Right click on internet explorer and click "Run As" run it as admin. type C:\ into the address bar. Navigate to whatever folder the programs you want to run are in and run them. Anything that spawns from here will be running as admin.
There's a lot more to it than launching applications. Even then it's unsatisfactory in many ways. It's extremely inconvenient to have to run an application as admin and have all the output non-executable and non-writable for other users...one more crappy task to fix all the permissions after every run. Anyway there are many applications which simply don't work with run as. The previous poster who linked to Super SU was nearer the mark. Windows user model works fine for users with no local admin rights wo
Worth mentioning, sudo is essentially UAC, only somewhat less annoying. But it's still a broken model.
One thing a lot of Unix daemons get right is, one user per task. Basic, stupidly simple security model -- nothing should have more access than it needs to do its job. Server systems still handle this reasonably well -- small things as root, only where needed. Take Apache -- it's root mostly just to bind port 80; everything else is www-data.
Things like this completely go away with modern desktops. The only t
by Anonymous Coward
on Wednesday November 26 2008, @03:16PM (#25902707)
"the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals"
I'd love to go back in the '50s, find one of those future drawing artists, show him that head news, and ask him to draw what he think that means in the year 2008.
Will switching to IPv6 make the bot nets more transparent to those trying to defend the intertubes?
If that were true, then that might be a good argument to upgrade...
Well of course. With no worker unions, government bureaucracy or international laws to get in the way, they have it easier than your average law-abiding citizens and companies.
They also have to deal with various groups trying to stop them. As in TFA:
"We have registered a couple hundred domains," Gong said, "but we made the decision that we cannot afford to spend so much money to keep registering so many [domain] names."
So the spammers had to have thought about and planned for such a contingency.
And still bring in enough money to pay for the connections they'll be using to control the zombies.
The updated Srizbi includes hard-coded references to the Estonian command-and-control servers, but Gong was unaware of any current attempt to convince the firm now hosting those servers to yank them off the Web.
So while attempting to register the domain names, work was going on to update the zombie software.
The question now is how to get those hard-coded references to the various ISP's in the world so that they can block traffic to/from them and stop the zombies from updating again.
Why isn't information such as that ever included in these articles?
Yeah, but do you really need to block the whole country?
The bots obviously need to find their home. Most likely this is via either a hard-coded IP, or a DNS lookup. So, just publish whichever one it is and then everybody can blackhole either the DNS entry or the IP address. If the major ISPs do that the bot dies.
Now, if the bot uses IRC or something like that it could get trickier, since blocking that at the protocol level (short of killing an entire irc network) isn't possible. However, the irc network
No red tape, no bureaucratic processes, no politics, no concern about being polite and correct about everything. Also, no customer support. It's a wonder what you can accomplish by not giving a shit who you inconvenience. Just get the job done well enough that it works.
Also, no customer support. It's a wonder what you can accomplish by not giving a shit who you inconvenience. Just get the job done well enough that it works.
You mean, "by not even trying to appear as though you give a shit about who you inconvenience".
If you've tried to contact Customer Support of any corporation (especially any outsourced CS) you know that that company really only pays lip service to the concept. Most corporations only provide just enough CS to be able to show that (massaged) stats re
I have worked in more than a few offices that have no backup plans for when things go wrong; power outs, network outages, supply chain disruptions, and the like would stop work cold. I find it amusing that a band of criminals are running a more flexible and 'professional' operation than many ligament businesses.
Swedish TeliaSonera and it wasn't done directly, they purchased the link through a third party and made sure it was activated just as the weekend started (probably hoping that no one would shut it down before the weekend was over).
Is this because some idiot(s) let McColo get back online for a number of hours, or was that fallback already in place before the McColo initial shut down? These major ISP backbone providers reall need to be talking to each other when they blacklist a site so that one rogue provider doesn't undermine the good efforts of all the rest.
This was because they good guys stopped registering the dynamically generated domain names used by the botnet, allowing the bad guys to register some domain names and regain control.
Is this because some idiot(s) let McColo get back online for a number of hours, or was that fallback already in place before the McColo initial shut down?
I would be inclined to believe it to be more of the latter than the former. Why wouldn't the authors of the botnet software want to write something in to allow for the creation of a new botnet control system? These guys aren't idiots, as much as we might like to wish they were. They know that it takes time to amass a botnet, so I would expect they included some way to bring back the botnet, should they get caught somewhere.
need to be talking to each other when they blacklist a site
I might be missing something here, but I rather doubt that botnet control comes down to a specific site anywhere. Didn't they just say that the botnet is now controlled from a different country than before? I'm not sure that any amount of activities from major ISP's would be able to be both tolerable to users and capable of restricting the botnets.
Anyone who is surprised by this, raise your hand. If someone was able to write the requisite application to gather the botnet, one would expect the same programmer to have the foresight to write in a way to re-gather and restart the botnet at a later point in time.
You mean operators of a massive botnet worth literally MILLIONS of dollars have a backup plan? SHOCKING!
How is this surprising to anyone? Do you not understand this is a business, illegal or otherwise? Do you not think cocaine smugglers have backup plans too?
In the course of invesigating Srizbi, researchers had 250,000 bots under their control for a span of a few days. Sending the uninstall command was one of several ways they could have crippled this small portion of Srizbi. But honestly, no citizen has the legal authority to make changes to hundreds of thousands of other people's PCs. Maybe if some law enforcement agencies would get involved, that would be nice. Or at least give blanket immunity to researchers who would do so.
So where are the US antiterrorism people? This is an attack on US assets by foreign nationals. We have a whole Department of Homeland Security. They had a good computer security guy in charge of dealing with such attacks, Amit Yoran, and he quit in 2004 [computerworld.com], fed up because DHS didn't really want to deal with real problems. His replacement was a career lobbyist [dhs.gov]. Really. "He served as Director of 3Com Corporation's Government Relations Office in Washington, DC where he was responsible for all aspects of the company's strategic public policy formulation and advocacy." That's America's first line of defense against cyberterrorism.
FBI testimony before Congress, 2001 [fbi.gov]: "The FBI believes cyber-terrorism, the use of cyber-tools to shut down, degrade, or deny critical national infrastructures, such as energy, transportation, communications, or government services, for the purpose of coercing or intimidating a government or civilian population, is clearly an emerging threat for which its must develop prevention, deterrence, and response capabilities."
FBI testimony before Congress, 2004 [fbi.gov]: "
In the event of a cyberterrorist attack, the FBI will conduct an intense post-incident investigation to determine the source including the motive and purpose of the attack."
You are receiving spam not nuclear weapons, you idiot. It's not terrorism.
Tens of millions of American computers are under the direct control of hostile foreign interests.
At any moment, they can be ordered to do anything by those interests, including erasing files, sending financial information, or attacking infrastructure sites. That's a much bigger threat than some guys mouthing off in a bar in Miami about blowing up some building [cnn.com], which got the FBI's full attention.
What I wonder is, why don't some of those white/grey/black hat hackers out there don't try to hijack the botnets, spammers, or the control servers of the spammers and shut that shit down. I'm sure it would be challenging and billions would approve.
The way I see it, spam is a distributed problem that ignores virtually any boundary you can think of, so the solution must be equally pervasive and distributed. Such as an equally (dis)organized group of spammer-attackers. Sure some innocents will probably get nailed, but ain't war hell?
Are you under the impression that ISP's cannot be bribed, confused, or flat out lied to using stolen credit card information? Boy, I wish I had your ISP to tell me what singles ads are lying about.
...the one remaining 4800 baud link between Estonia and the rest of the world was taken down earlier today when IT technicians took control of the phone line to order a pizza.
The trouble was any kind of central point became a massive juicy target for them, and it would be just the same for an open source project. Bluefrog IIRC ended up just drowning in a tide of DDOSing. Kinda ironic, really:)
As far as I can see the only real solution to spam is intelligent filtering, which Google leads the way on: it's got to the point where if a spam mail gets through, I open it it up and have a good look at it to see how the heck it got through.
Because Srizbi has an algorithm that generates new pseudo-random domain names based on the current date. If the hard-coded C&C server ever goes down, the bot herder can calculate what domain names Srizbi will be looking to in the near future, and register them to reclaim the botnet (and push an update that changes the hard-coded server)
What they should have done was this: Cut the provider's proverbial balls off. Then snap up the next ten or twenty domains. Connect them all to a server that instructs the bots that get there to uninstall themselves. I can see why they didn't, though; they could have been liable for any unintended effects (computers crashing, whatever), which is why that step should ideally have been done by some anonymous or pseudonymous party.
Zombies!!!!! (Score:5, Funny)
Argh! Zombies!!!!! They're bound to be after brains! Well they'll find none here! Take that you evil zombies.
Random or crashing? (Score:3, Funny)
Which part of "random crashing" is alleviated by Linux? The "random" or the "crashing"?
Further Proof (Score:5, Insightful)
Re:Further Proof (Score:5, Funny)
It's nice to see that somebody's IT department has the funding and expertise to implement a backup plan.
It gives me hope.
Parent
Re:Further Proof (Score:5, Insightful)
the alg it uses to get domain names
Why would botnet harvesting be done by domain name anyways? Wouldn't it be easier to collect systems by just running through accessible IP addresses?
And if the botnets are doing double duty by both propagating spam and attempting to hack into systems via ssh, I can tell you from my IP logs at home that most systems in the botnets aren't behind any particular domains.
On top of that, how many languages would you want to sell antivirus software in?
Parent
Re: (Score:3, Interesting)
You misunderstand.
Srizbi has an algorithm to generate a pseudo-random domain name from the current date, and looks to that domain for command & control instructions.
The author of the bot has the same algorithm, and can calculate the domain names days and weeks out. Thus, if their c&c server is knocked off the internet, the bot herder just has to register a few domain names that Srizbi will be looking to in the near future.
This has nothing to do with the domain names of the bots themselves, or of the
Re:Further Proof (Score:5, Insightful)
Parent
Re:Further Proof (Score:5, Informative)
Parent
Re:Further Proof (Score:5, Informative)
A little windows trickery:
Right click on internet explorer and click "Run As" run it as admin.
type C:\ into the address bar. Navigate to whatever folder the programs you want to run are in and run them. Anything that spawns from here will be running as admin.
Parent
Re: (Score:3, Interesting)
Re: (Score:3, Interesting)
Worth mentioning, sudo is essentially UAC, only somewhat less annoying. But it's still a broken model.
One thing a lot of Unix daemons get right is, one user per task. Basic, stupidly simple security model -- nothing should have more access than it needs to do its job. Server systems still handle this reasonably well -- small things as root, only where needed. Take Apache -- it's root mostly just to bind port 80; everything else is www-data.
Things like this completely go away with modern desktops. The only t
Going back in time ... (Score:5, Interesting)
"the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals"
I'd love to go back in the '50s, find one of those future drawing artists, show him that head news, and ask him to draw what he think that means in the year 2008.
Hilarity ensue.
Re:Going back in time ... (Score:5, Funny)
Never fails - I never have mod points when I see posts worthy of them.
Parent
Re:Going back in time ... (Score:5, Funny)
I don't know what he'd draw, but I know it'd be covered in chrome. :)
Parent
Re:Going back in time ... (Score:5, Funny)
I guess it would a giant, dilapidated 50's-style robot vomiting a stream of cans of spams to crowds of innocent people.
Parent
They stopped them once. (Score:5, Insightful)
The sooner the better. My good:spam ratio is almost 5:95 at the moment
Re:They stopped them once. (Score:5, Funny)
Parent
Re:They stopped them once. (Score:4, Interesting)
Parent
Re:They stopped them once. (Score:4, Interesting)
If that were true, then that might be a good argument to upgrade...
Parent
Re: (Score:3, Informative)
I read that they had. Servers in Estonia shutdown quickly but one left up in Germany.
http://www.theregister.co.uk/2008/11/26/srizbi_returns_from_dead/ [theregister.co.uk]
What intriques me... (Score:5, Insightful)
Re:What intriques me... (Score:5, Funny)
Well of course. With no worker unions, government bureaucracy or international laws to get in the way, they have it easier than your average law-abiding citizens and companies.
Parent
Not really. (Score:5, Informative)
They also have to deal with various groups trying to stop them. As in TFA:
So the spammers had to have thought about and planned for such a contingency.
And still bring in enough money to pay for the connections they'll be using to control the zombies.
So while attempting to register the domain names, work was going on to update the zombie software.
The question now is how to get those hard-coded references to the various ISP's in the world so that they can block traffic to/from them and stop the zombies from updating again.
Why isn't information such as that ever included in these articles?
Parent
Re: (Score:3, Interesting)
Yeah, but do you really need to block the whole country?
The bots obviously need to find their home. Most likely this is via either a hard-coded IP, or a DNS lookup. So, just publish whichever one it is and then everybody can blackhole either the DNS entry or the IP address. If the major ISPs do that the bot dies.
Now, if the bot uses IRC or something like that it could get trickier, since blocking that at the protocol level (short of killing an entire irc network) isn't possible. However, the irc network
Re:What intriques me... (Score:5, Insightful)
Parent
Re: (Score:3, Insightful)
You mean, "by not even trying to appear as though you give a shit about who you inconvenience".
If you've tried to contact Customer Support of any corporation (especially any outsourced CS) you know that that company really only pays lip service to the concept. Most corporations only provide just enough CS to be able to show that (massaged) stats re
Thats strange... (Score:5, Funny)
We don't need no stinking backups... (Score:5, Insightful)
Re:We don't need no stinking backups... (Score:4, Funny)
Parent
Re:We don't need no stinking backups... (Score:4, Interesting)
Swedish TeliaSonera and it wasn't done directly, they purchased the link through a third party and made sure it was activated just as the weekend started (probably hoping that no one would shut it down before the weekend was over).
/Mikael
Parent
A McColo with Fries (Score:5, Funny)
Some Idiots (Score:5, Insightful)
Re:Some Idiots (Score:4, Informative)
Parent
Re:Some Idiots (Score:4, Insightful)
Is this because some idiot(s) let McColo get back online for a number of hours, or was that fallback already in place before the McColo initial shut down?
I would be inclined to believe it to be more of the latter than the former. Why wouldn't the authors of the botnet software want to write something in to allow for the creation of a new botnet control system? These guys aren't idiots, as much as we might like to wish they were. They know that it takes time to amass a botnet, so I would expect they included some way to bring back the botnet, should they get caught somewhere.
need to be talking to each other when they blacklist a site
I might be missing something here, but I rather doubt that botnet control comes down to a specific site anywhere. Didn't they just say that the botnet is now controlled from a different country than before? I'm not sure that any amount of activities from major ISP's would be able to be both tolerable to users and capable of restricting the botnets.
Parent
OK now... (Score:5, Insightful)
Re: (Score:3, Insightful)
How is this surprising to anyone? Do you not understand this is a business, illegal or otherwise? Do you not think cocaine smugglers have backup plans too?
They missed the chance (Score:4, Insightful)
Re:They missed the chance (Score:5, Informative)
Srizbi will, in fact, accept an uninstall command from a bogus C&C server.
Lots of stuff about Srizbi [fireeye.com]
In the course of invesigating Srizbi, researchers had 250,000 bots under their control for a span of a few days. Sending the uninstall command was one of several ways they could have crippled this small portion of Srizbi. But honestly, no citizen has the legal authority to make changes to hundreds of thousands of other people's PCs. Maybe if some law enforcement agencies would get involved, that would be nice. Or at least give blanket immunity to researchers who would do so.
Parent
Soft on terrorism (Score:4, Informative)
So where are the US antiterrorism people? This is an attack on US assets by foreign nationals. We have a whole Department of Homeland Security. They had a good computer security guy in charge of dealing with such attacks, Amit Yoran, and he quit in 2004 [computerworld.com], fed up because DHS didn't really want to deal with real problems. His replacement was a career lobbyist [dhs.gov]. Really. "He served as Director of 3Com Corporation's Government Relations Office in Washington, DC where he was responsible for all aspects of the company's strategic public policy formulation and advocacy." That's America's first line of defense against cyberterrorism.
The FBI has an antiterrorism operation. What are they doing? What they say they're doing is working to "strengthen and support our top operational priorities: counterterrorism, counterintelligence, cyber, and major criminal programs." [fbi.gov] What they're actually doing is flying around the FBI director in the private jet purchased with antiterrorism funds. [wordpress.com]
FBI testimony before Congress, 2001 [fbi.gov]: "The FBI believes cyber-terrorism, the use of cyber-tools to shut down, degrade, or deny critical national infrastructures, such as energy, transportation, communications, or government services, for the purpose of coercing or intimidating a government or civilian population, is clearly an emerging threat for which its must develop prevention, deterrence, and response capabilities."
FBI testimony before Congress, 2004 [fbi.gov]: " In the event of a cyberterrorist attack, the FBI will conduct an intense post-incident investigation to determine the source including the motive and purpose of the attack."
So where's the action?
Heads need to roll at DHS and the FBI.
Re: (Score:3, Interesting)
Tens of millions of American computers are under the direct control of hostile foreign interests. At any moment, they can be ordered to do anything by those interests, including erasing files, sending financial information, or attacking infrastructure sites. That's a much bigger threat than some guys mouthing off in a bar in Miami about blowing up some building [cnn.com], which got the FBI's full attention.
(H|Cr)ack attack (Score:4, Interesting)
What I wonder is, why don't some of those white/grey/black hat hackers out there don't try to hijack the botnets, spammers, or the control servers of the spammers and shut that shit down. I'm sure it would be challenging and billions would approve.
The way I see it, spam is a distributed problem that ignores virtually any boundary you can think of, so the solution must be equally pervasive and distributed. Such as an equally (dis)organized group of spammer-attackers. Sure some innocents will probably get nailed, but ain't war hell?
Money was involved... (Score:3, Informative)
Re: (Score:3, Insightful)
Re:Money was involved... (Score:5, Informative)
Parent
Update (Score:5, Informative)
The Estonia based Command and Control servers have been kicked offline.
Only one server is still online, based in Frankfurt, Germany; name registered through the Cayman Islands.
This is not the server that's hard-coded in to the new Srizbi patch, just one of the backup servers supplying it.
source [fireeye.com]
In related news ... (Score:5, Funny)
Re:Aim for the head ... (Score:5, Funny)
You don't have much experience battling hydras, do you?
Parent
Re:Blue Frog? (Score:4, Interesting)
As far as I can see the only real solution to spam is intelligent filtering, which Google leads the way on: it's got to the point where if a spam mail gets through, I open it it up and have a good look at it to see how the heck it got through.
Parent
Re: (Score:3, Interesting)
Because Srizbi has an algorithm that generates new pseudo-random domain names based on the current date. If the hard-coded C&C server ever goes down, the bot herder can calculate what domain names Srizbi will be looking to in the near future, and register them to reclaim the botnet (and push an update that changes the hard-coded server)
Technical Details of Srizbis domain generation algorithm [fireeye.com]
Re: (Score:3, Interesting)