Massive Botnet Returns From the Dead To Spam On 205
CWmike writes "Gregg Keizer reports that the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals, security researchers said today. As of late Tuesday, infected PCs were able to successfully reconnect with new command-and-control servers, which are now based in Estonia, said Fengmin Gong, chief security content officer at FireEye. The comeback confirms what researchers noted last week, that Srizbi had a fallback strategy. So, in the end, that strategy paid off for the criminals who control the botnet."
Not really. (Score:5, Informative)
They also have to deal with various groups trying to stop them. As in TFA:
So the spammers had to have thought about and planned for such a contingency.
And still bring in enough money to pay for the connections they'll be using to control the zombies.
So while attempting to register the domain names, work was going on to update the zombie software.
The question now is how to get those hard-coded references to the various ISP's in the world so that they can block traffic to/from them and stop the zombies from updating again.
Why isn't information such as that ever included in these articles?
Re:Some Idiots (Score:4, Informative)
Soft on terrorism (Score:4, Informative)
So where are the US antiterrorism people? This is an attack on US assets by foreign nationals. We have a whole Department of Homeland Security. They had a good computer security guy in charge of dealing with such attacks, Amit Yoran, and he quit in 2004 [computerworld.com], fed up because DHS didn't really want to deal with real problems. His replacement was a career lobbyist [dhs.gov]. Really. "He served as Director of 3Com Corporation's Government Relations Office in Washington, DC where he was responsible for all aspects of the company's strategic public policy formulation and advocacy." That's America's first line of defense against cyberterrorism.
The FBI has an antiterrorism operation. What are they doing? What they say they're doing is working to "strengthen and support our top operational priorities: counterterrorism, counterintelligence, cyber, and major criminal programs." [fbi.gov] What they're actually doing is flying around the FBI director in the private jet purchased with antiterrorism funds. [wordpress.com]
FBI testimony before Congress, 2001 [fbi.gov]: "The FBI believes cyber-terrorism, the use of cyber-tools to shut down, degrade, or deny critical national infrastructures, such as energy, transportation, communications, or government services, for the purpose of coercing or intimidating a government or civilian population, is clearly an emerging threat for which its must develop prevention, deterrence, and response capabilities."
FBI testimony before Congress, 2004 [fbi.gov]: " In the event of a cyberterrorist attack, the FBI will conduct an intense post-incident investigation to determine the source including the motive and purpose of the attack."
So where's the action?
Heads need to roll at DHS and the FBI.
Money was involved... (Score:3, Informative)
Re:Further Proof (Score:5, Informative)
Lost opportunity to take over (Score:1, Informative)
They should have used the domains to take over the botnet. If they know how it works, why not use the system to shut it down?!
Re:Money was involved... (Score:5, Informative)
Re:Further Proof (Score:5, Informative)
A little windows trickery:
Right click on internet explorer and click "Run As" run it as admin.
type C:\ into the address bar. Navigate to whatever folder the programs you want to run are in and run them. Anything that spawns from here will be running as admin.
Re:Further Proof (Score:2, Informative)
Why would botnet harvesting be done by domain name anyways? Wouldn't it be easier to collect systems by just running through accessible IP addresses?
RTFA. The bots are generating domain names which they then attempt to contact in order to re-connect with botnet control.
It's very clever, really. The algorithm can generate a near-endless list of domain names, and all the botnet owners have to do is register one of them and set it up to respond to the bots.
On the other hand, in order to block this attempt by the bots to re-connect with the botnet owner, you have to pre-emptively register ALL domains which the algorithm generates. So in the long run, it's not financially feasible to block this.
I assume that the researchers are now going to try to make arrangements directly with the registrars to block registration of such domains in the future -- hope they can get co-operation on this.
Re:They missed the chance (Score:5, Informative)
Srizbi will, in fact, accept an uninstall command from a bogus C&C server.
Lots of stuff about Srizbi [fireeye.com]
In the course of invesigating Srizbi, researchers had 250,000 bots under their control for a span of a few days. Sending the uninstall command was one of several ways they could have crippled this small portion of Srizbi. But honestly, no citizen has the legal authority to make changes to hundreds of thousands of other people's PCs. Maybe if some law enforcement agencies would get involved, that would be nice. Or at least give blanket immunity to researchers who would do so.
Update (Score:5, Informative)
The Estonia based Command and Control servers have been kicked offline.
Only one server is still online, based in Frankfurt, Germany; name registered through the Cayman Islands.
This is not the server that's hard-coded in to the new Srizbi patch, just one of the backup servers supplying it.
source [fireeye.com]
Re:They stopped them once. (Score:3, Informative)
I read that they had. Servers in Estonia shutdown quickly but one left up in Germany.
http://www.theregister.co.uk/2008/11/26/srizbi_returns_from_dead/ [theregister.co.uk]
Re:They missed the chance (Score:1, Informative)
Technically they also do not have the 'legal authority' to be in control of those bots, but they did anyways. So that throws it out the window of changing the PC in some way.