Massive Botnet Returns From the Dead To Spam On

CWmike writes "Gregg Keizer reports that the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals, security researchers said today. As of late Tuesday, infected PCs were able to successfully reconnect with new command-and-control servers, which are now based in Estonia, said Fengmin Gong, chief security content officer at FireEye. The comeback confirms what researchers noted last week, that Srizbi had a fallback strategy. So, in the end, that strategy paid off for the criminals who control the botnet."

Going back in time ...

[Anonymous Coward]

"the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals"

I'd love to go back in the '50s, find one of those future drawing artists, show him that head news, and ask him to draw what he think that means in the year 2008.

Hilarity ensue.

Re:Further Proof

[Anonymous Coward]

ah but if you can figure out the alg it uses to get domain names....

The next time they are knocked out you can get a list of machines that are infected. Set up an agreement with the ISP and say 'if you give me the people who have their machines infected (btw here is a list) I will split the profit with you of every copy of mcafee or norton or whatever we sell to these customers.

Letter from the ISP with a 20 dollar of coupon for a virus scaner. 'Your computer was recently infected (see attached log)' We recommend that you purchase some software to fix this issue. We recommend software X and here is a coupon for it. Hell some ISPs even give away the software...

It will not fix the problem but there is money to be made fixing it...

Re:They stopped them once.

[armanox]

Actually mine told me not to reduce, as it helps to see where they came from.

Re:They stopped them once.

[smittyoneeach]

Will switching to IPv6 make the bot nets more transparent to those trying to defend the intertubes?
If that were true, then that might be a good argument to upgrade...

Re:We don't need no stinking backups...

[mikael_j]

Swedish TeliaSonera and it wasn't done directly, they purchased the link through a third party and made sure it was activated just as the weekend started (probably hoping that no one would shut it down before the weekend was over).

/Mikael

how come you say for sure they're in Estonia?

[tankadin]

You could send an e-mail about command-and-control servers, to our Cyber Defence Center (Küberkaitse Keskus aka KKK) http://en.wikipedia.org/wiki/CCDCOE [wikipedia.org] Estonia is not a big country at all so i think these new servers would be taken down pretty quickly.

(H|Cr)ack attack

[Thaelon]

What I wonder is, why don't some of those white/grey/black hat hackers out there don't try to hijack the botnets, spammers, or the control servers of the spammers and shut that shit down. I'm sure it would be challenging and billions would approve.

The way I see it, spam is a distributed problem that ignores virtually any boundary you can think of, so the solution must be equally pervasive and distributed. Such as an equally (dis)organized group of spammer-attackers. Sure some innocents will probably get nailed, but ain't war hell?

Re:Blue Frog?

[u38cg]

The trouble was any kind of central point became a massive juicy target for them, and it would be just the same for an open source project. Bluefrog IIRC ended up just drowning in a tide of DDOSing. Kinda ironic, really :)

As far as I can see the only real solution to spam is intelligent filtering, which Google leads the way on: it's got to the point where if a spam mail gets through, I open it it up and have a good look at it to see how the heck it got through.

Re:Please grow up and join the real world

[Animats]

You are receiving spam not nuclear weapons, you idiot. It's not terrorism.

Tens of millions of American computers are under the direct control of hostile foreign interests. At any moment, they can be ordered to do anything by those interests, including erasing files, sending financial information, or attacking infrastructure sites. That's a much bigger threat than some guys mouthing off in a bar in Miami about blowing up some building [cnn.com], which got the FBI's full attention.

Why is this still going on?

[blair1q]

It's pretty obvious to me that it's trivially simple to watch one of these bots cycle through its algorithm, then when it gets a working server site, you trace to that site and find who's running it and cut their balls off as well as their network access. Then watch it happen again, and so on.

That would be a lot smarter than paying tens of thousands of dollars for randomly-generated domain names.

Why are spam-fighters so intent on doing the dumb thing instead of the right thing?

Re:Please grow up and join the real world

[WTF Chuck]

Or simply killing all those whose machines are infected? And if you think that any of those is acceptable then you surely won't have any objection if/when other nations start behaving that way in your country, will you? I know where most of my spam originates.

I have no problem with the infected machines being killed off, regardless of where the attacker that killed the machine is located or who the attacker is. Just leave some indication of why the machine was killed so I can point to it when charging the customer for re-installing their OS and recovering whatever of their files that you are kind enough to leave for them. A nice little README.txt file explaining "Your machine was a spam spewing zombie in the <botnet name> botnet." will be sufficient.

Re:Further Proof

[julian67]

There's a lot more to it than launching applications. Even then it's unsatisfactory in many ways. It's extremely inconvenient to have to run an application as admin and have all the output non-executable and non-writable for other users...one more crappy task to fix all the permissions after every run. Anyway there are many applications which simply don't work with run as. The previous poster who linked to Super SU was nearer the mark. Windows user model works fine for users with no local admin rights working under a domain controller, i.e. in the office with IT dept running everything. For home/individual users it really stinks. The existence of botnets of tens or hundreds of thousands of compromised Windows PCs should negate the need to even mention or discuss this but it seems that simple, sane authorisation models have been thoroughly subverted for so long that the absolute worst model is considered normal and acceptable. What's really incredible to me is that if you look at unix user/super user model or the Ubuntu/OS X style sudo model they are both easy and *convenient* for the end user as well as the administrator and have no real drawback; I can't quite work out why MS dedicated the last 10 years to screwing it up so badly. It is a horrible experience for their users to suffer unwanted malicious software on their systems and it could all have been easily avoided. It shouldn't be normal to run a system so badly configured and implemented that it requires 3rd party add ons simply to appear secure. It shouldn't be anything other than extraordinarily unusual to have one's personal and financial details exposed to criminals etc. Run as is not the answer because there are too many situations where it simply doesn't work or is so inconvenient that it becomes impractical. Personally speaking, Windows is only for games while everything else gets done on a sensible OS. Windows by default has no immunity and no powers of recovery. It has AIDS.

Re:Not really.

[Rich0]

Yeah, but do you really need to block the whole country?

The bots obviously need to find their home. Most likely this is via either a hard-coded IP, or a DNS lookup. So, just publish whichever one it is and then everybody can blackhole either the DNS entry or the IP address. If the major ISPs do that the bot dies.

Now, if the bot uses IRC or something like that it could get trickier, since blocking that at the protocol level (short of killing an entire irc network) isn't possible. However, the irc network could probably block the appropriate channels.

Re:Further Proof

[LackThereof]

You misunderstand.

Srizbi has an algorithm to generate a pseudo-random domain name from the current date, and looks to that domain for command & control instructions.

The author of the bot has the same algorithm, and can calculate the domain names days and weeks out. Thus, if their c&c server is knocked off the internet, the bot herder just has to register a few domain names that Srizbi will be looking to in the near future.

This has nothing to do with the domain names of the bots themselves, or of the target machines.

Re:domains ?

[LackThereof]

Because Srizbi has an algorithm that generates new pseudo-random domain names based on the current date. If the hard-coded C&C server ever goes down, the bot herder can calculate what domain names Srizbi will be looking to in the near future, and register them to reclaim the botnet (and push an update that changes the hard-coded server)

Technical Details of Srizbis domain generation algorithm [fireeye.com]

Re:Further Proof

[SanityInAnarchy]

Worth mentioning, sudo is essentially UAC, only somewhat less annoying. But it's still a broken model.

One thing a lot of Unix daemons get right is, one user per task. Basic, stupidly simple security model -- nothing should have more access than it needs to do its job. Server systems still handle this reasonably well -- small things as root, only where needed. Take Apache -- it's root mostly just to bind port 80; everything else is www-data.

Things like this completely go away with modern desktops. The only two users you deal with most of the time are yourself and root. Not that it matters -- X is full of potential exploits.

Oh, and Windows isn't entirely unrecoverable, though the most effective recovery tools I know of are all Linux-based -- a decent livecd, ntfsclone, etc.

then doing nothing is a crime too

[cheekyboy]

surely doing nothing is just like knowing a criminal has done a crime without reporting it, so you are deemed an aid to the crime if you let it happen.

Idiots.

Just do it under the table from a netcafe, and no one will complain, really, no one will, no body, bloody no one!!! Those guys have NO balls.

Re:Why is this still going on?

[kvezach]

What they should have done was this: Cut the provider's proverbial balls off. Then snap up the next ten or twenty domains. Connect them all to a server that instructs the bots that get there to uninstall themselves. I can see why they didn't, though; they could have been liable for any unintended effects (computers crashing, whatever), which is why that step should ideally have been done by some anonymous or pseudonymous party.

Re:(H|Cr)ack attack

[Yvanhoe]

While looking for informations on Code Green, I came accross this 2002 Black hat conference that discusses the possibility of back striking an attacker in the case of the Nimda worm epidemic. http://www.blackhat.com/presentations/bh-asia-02/bh-asia-02-mullen.pdf [blackhat.com] You may be interested by this presentation.