Massive Botnet Returns From the Dead To Spam On

CWmike writes "Gregg Keizer reports that the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals, security researchers said today. As of late Tuesday, infected PCs were able to successfully reconnect with new command-and-control servers, which are now based in Estonia, said Fengmin Gong, chief security content officer at FireEye. The comeback confirms what researchers noted last week, that Srizbi had a fallback strategy. So, in the end, that strategy paid off for the criminals who control the botnet."

Further Proof

[MaxwellEdison]

Further proof that crime doesn't pay. Unless you have a reliable business plan, of course.

They stopped them once.

[Finallyjoined!!!]

Now do it again. Rinse, repeat, until there's nowhere left for them to host the "command and control" servers.

The sooner the better. My good:spam ratio is almost 5:95 at the moment :-(

Comment removed

[account_deleted]

Comment removed based on user account deletion

We don't need no stinking backups...

[Anonymous Monkey]

I have worked in more than a few offices that have no backup plans for when things go wrong; power outs, network outages, supply chain disruptions, and the like would stop work cold. I find it amusing that a band of criminals are running a more flexible and 'professional' operation than many ligament businesses.

Some Idiots

[Nom du Keyboard]

Is this because some idiot(s) let McColo get back online for a number of hours, or was that fallback already in place before the McColo initial shut down? These major ISP backbone providers reall need to be talking to each other when they blacklist a site so that one rogue provider doesn't undermine the good efforts of all the rest.

OK now...

[damn_registrars]

Anyone who is surprised by this, raise your hand. If someone was able to write the requisite application to gather the botnet, one would expect the same programmer to have the foresight to write in a way to re-gather and restart the botnet at a later point in time.

They missed the chance

[confused one]

While the command and control was down, they missed the chance to take out the bots too.

Re:What intriques me...

[Marc Desrochers]

No red tape, no bureaucratic processes, no politics, no concern about being polite and correct about everything. Also, no customer support. It's a wonder what you can accomplish by not giving a shit who you inconvenience. Just get the job done well enough that it works.

Re:Some Idiots

[damn_registrars]

Is this because some idiot(s) let McColo get back online for a number of hours, or was that fallback already in place before the McColo initial shut down?

I would be inclined to believe it to be more of the latter than the former. Why wouldn't the authors of the botnet software want to write something in to allow for the creation of a new botnet control system? These guys aren't idiots, as much as we might like to wish they were. They know that it takes time to amass a botnet, so I would expect they included some way to bring back the botnet, should they get caught somewhere.

need to be talking to each other when they blacklist a site

I might be missing something here, but I rather doubt that botnet control comes down to a specific site anywhere. Didn't they just say that the botnet is now controlled from a different country than before? I'm not sure that any amount of activities from major ISP's would be able to be both tolerable to users and capable of restricting the botnets.

Sample bias

[DahGhostfacedFiddlah]

how efficiently the bad guys always work.

Not really - we only ever hear about the efficient ones here. Head on over to Fark [fark.com] (or even Youtube:) to get some examples of bad guys working....inefficiently.

Re:Further Proof

[damn_registrars]

the alg it uses to get domain names

Why would botnet harvesting be done by domain name anyways? Wouldn't it be easier to collect systems by just running through accessible IP addresses?

And if the botnets are doing double duty by both propagating spam and attempting to hack into systems via ssh, I can tell you from my IP logs at home that most systems in the botnets aren't behind any particular domains.

On top of that, how many languages would you want to sell antivirus software in?

Re:What intriques me...

[owlnation]

Also, no customer support. It's a wonder what you can accomplish by not giving a shit who you inconvenience. Just get the job done well enough that it works.

You mean, "by not even trying to appear as though you give a shit about who you inconvenience".

If you've tried to contact Customer Support of any corporation (especially any outsourced CS) you know that that company really only pays lip service to the concept. Most corporations only provide just enough CS to be able to show that (massaged) stats reveal 80% customer satisfaction. There is almost never any genuine attempt to actually support customers.

Most corporations would be as well to just stop providing any customer support whatsoever, there would be little net difference in most cases.

I think the lack of bureaucracy is probably the key factor in the success of the black economy. Anyone who has worked in a corporation knows how many hoops you have to jump through to get anything meaningful done at any level in the organization. It's often best forgetting about anything that's not groundbreaking.

That, and the fact that the bottom feeders in the foodchain who fail to cover their asses often don't get a warning on their permanent record so much as a bullet in the brain.

Re:Further Proof

[julian67]

Actually there isn't money to be made this way because all those unhappy customers demanding refunds will be expensive. The idea that you can clean an infected Windows PC by installing product A or B or C is mistaken. The whole idea that security is a boxed product or is available by clicking an .exe/.msi installer is bogus. Assuming that the malware on these infected computers is even known to the AV companies (and that's no longer a reasonable assumption in most cases) then the only way to actually remove it effectively is by running the AV tools from read only media, i.e. a live CD. Well designed malware will simply disallow the installation/use/updating of common AV software. The malware authors are streets ahead of the "security" vendors. The AV products installed on a clean machine can't even prevent many of these problems let alone cure them. Most Windows users would be better advised to save their pennies and re-install from original media, always be patched and up to date (applications as well as OS), run as unprivileged user with strong passwords on all accounts and browse only with Firefox + privoxy + noscript + adblock. That isn't perfect but it's zero financial cost and way more effective than anything Symantec, McAfee etc can offer. Unfortunately running Windows with an unprivileged account is as convenient as toothache.

Re:Money was involved...

[Antique Geekmeister]

Are you under the impression that ISP's cannot be bribed, confused, or flat out lied to using stolen credit card information? Boy, I wish I had your ISP to tell me what singles ads are lying about.

Re:They stopped them once.

[Anonymous Coward]

well in real life you dont always want to reduce, when you do that you lose detail...

sure 5:95 is the same as 1:19 but in this case you lose the detail that there were 100 total not just 20.

say you have a group of people die and only .01 percent die, you could say thats a super tiny amount and its not a big deal unless your talking about the whole planet and then that .01 is still 67 million people.
book smarts and common sense smarts aren't interchangeable you have to know when one way is just better then the so called "right way".

Re:(H|Cr)ack attack

[Anonymous Coward]

What you seem to be overlooking is the fact that there is a huge profit motive in spam. As such, there is a huge profit motive in maintaining as large a botnet as possible. One thing botnet owners often do is try to steal bots from other nets. To combat this, they will often patch the holes they used to gain control of the bots in the first place, and any other holes they know of. Essentially, it is in botnet owners' best interests to make their bots as secure as possible against determined attackers (i.e., other botnet owners).

This leaves basically two reasonably reliable (legal) options for removing bots from the network: physical access to clean (or format) the infected computer offline, or persuading the bot's ISP that the bot is a bot and should have 'net access removed until such time as it is cleaned.

Re:OK now...

[jon3k]

You mean operators of a massive botnet worth literally MILLIONS of dollars have a backup plan? SHOCKING!

How is this surprising to anyone? Do you not understand this is a business, illegal or otherwise? Do you not think cocaine smugglers have backup plans too?

Re:Further Proof

[ArsenneLupin]

Why can't someone honeypot a bot, move the system time forward and intercept NTP queries, and watch the traffic to see what DNS queries it generates?

Actually, they managed to do better than that: they reverse-engineered the algorithm, and didn't even need to VM a bot.

However, where the plan failed was not in guessing the domain names, but in coming up with enough money to preemptively register them...