Massive Botnet Returns From the Dead To Spam On 205
CWmike writes "Gregg Keizer reports that the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals, security researchers said today. As of late Tuesday, infected PCs were able to successfully reconnect with new command-and-control servers, which are now based in Estonia, said Fengmin Gong, chief security content officer at FireEye. The comeback confirms what researchers noted last week, that Srizbi had a fallback strategy. So, in the end, that strategy paid off for the criminals who control the botnet."
Further Proof (Score:5, Insightful)
They stopped them once. (Score:5, Insightful)
The sooner the better. My good:spam ratio is almost 5:95 at the moment
Comment removed (Score:5, Insightful)
We don't need no stinking backups... (Score:5, Insightful)
Some Idiots (Score:5, Insightful)
OK now... (Score:5, Insightful)
They missed the chance (Score:4, Insightful)
Re:What intriques me... (Score:5, Insightful)
Re:Some Idiots (Score:4, Insightful)
Is this because some idiot(s) let McColo get back online for a number of hours, or was that fallback already in place before the McColo initial shut down?
I would be inclined to believe it to be more of the latter than the former. Why wouldn't the authors of the botnet software want to write something in to allow for the creation of a new botnet control system? These guys aren't idiots, as much as we might like to wish they were. They know that it takes time to amass a botnet, so I would expect they included some way to bring back the botnet, should they get caught somewhere.
need to be talking to each other when they blacklist a site
I might be missing something here, but I rather doubt that botnet control comes down to a specific site anywhere. Didn't they just say that the botnet is now controlled from a different country than before? I'm not sure that any amount of activities from major ISP's would be able to be both tolerable to users and capable of restricting the botnets.
Sample bias (Score:2, Insightful)
how efficiently the bad guys always work.
Not really - we only ever hear about the efficient ones here. Head on over to Fark [fark.com] (or even Youtube:) to get some examples of bad guys working....inefficiently.
Re:Further Proof (Score:5, Insightful)
the alg it uses to get domain names
Why would botnet harvesting be done by domain name anyways? Wouldn't it be easier to collect systems by just running through accessible IP addresses?
And if the botnets are doing double duty by both propagating spam and attempting to hack into systems via ssh, I can tell you from my IP logs at home that most systems in the botnets aren't behind any particular domains.
On top of that, how many languages would you want to sell antivirus software in?
Re:What intriques me... (Score:3, Insightful)
You mean, "by not even trying to appear as though you give a shit about who you inconvenience".
If you've tried to contact Customer Support of any corporation (especially any outsourced CS) you know that that company really only pays lip service to the concept. Most corporations only provide just enough CS to be able to show that (massaged) stats reveal 80% customer satisfaction. There is almost never any genuine attempt to actually support customers.
Most corporations would be as well to just stop providing any customer support whatsoever, there would be little net difference in most cases.
I think the lack of bureaucracy is probably the key factor in the success of the black economy. Anyone who has worked in a corporation knows how many hoops you have to jump through to get anything meaningful done at any level in the organization. It's often best forgetting about anything that's not groundbreaking.
That, and the fact that the bottom feeders in the foodchain who fail to cover their asses often don't get a warning on their permanent record so much as a bullet in the brain.
Re:Further Proof (Score:5, Insightful)
Re:Money was involved... (Score:3, Insightful)
Re:They stopped them once. (Score:1, Insightful)
well in real life you dont always want to reduce, when you do that you lose detail...
sure 5:95 is the same as 1:19 but in this case you lose the detail that there were 100 total not just 20.
say you have a group of people die and only .01 percent die, you could say thats a super tiny amount and its not a big deal unless your talking about the whole planet and then that .01 is still 67 million people.
book smarts and common sense smarts aren't interchangeable you have to know when one way is just better then the so called "right way".
Re:(H|Cr)ack attack (Score:1, Insightful)
What you seem to be overlooking is the fact that there is a huge profit motive in spam. As such, there is a huge profit motive in maintaining as large a botnet as possible. One thing botnet owners often do is try to steal bots from other nets. To combat this, they will often patch the holes they used to gain control of the bots in the first place, and any other holes they know of. Essentially, it is in botnet owners' best interests to make their bots as secure as possible against determined attackers (i.e., other botnet owners).
This leaves basically two reasonably reliable (legal) options for removing bots from the network: physical access to clean (or format) the infected computer offline, or persuading the bot's ISP that the bot is a bot and should have 'net access removed until such time as it is cleaned.
Re:OK now... (Score:3, Insightful)
How is this surprising to anyone? Do you not understand this is a business, illegal or otherwise? Do you not think cocaine smugglers have backup plans too?
Re:Further Proof (Score:3, Insightful)
Why can't someone honeypot a bot, move the system time forward and intercept NTP queries, and watch the traffic to see what DNS queries it generates?
Actually, they managed to do better than that: they reverse-engineered the algorithm, and didn't even need to VM a bot.
However, where the plan failed was not in guessing the domain names, but in coming up with enough money to preemptively register them...