Massive Botnet Returns From the Dead To Spam On 205
CWmike writes "Gregg Keizer reports that the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals, security researchers said today. As of late Tuesday, infected PCs were able to successfully reconnect with new command-and-control servers, which are now based in Estonia, said Fengmin Gong, chief security content officer at FireEye. The comeback confirms what researchers noted last week, that Srizbi had a fallback strategy. So, in the end, that strategy paid off for the criminals who control the botnet."
Going back in time ... (Score:5, Interesting)
"the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals"
I'd love to go back in the '50s, find one of those future drawing artists, show him that head news, and ask him to draw what he think that means in the year 2008.
Hilarity ensue.
Re:Further Proof (Score:1, Interesting)
ah but if you can figure out the alg it uses to get domain names....
The next time they are knocked out you can get a list of machines that are infected. Set up an agreement with the ISP and say 'if you give me the people who have their machines infected (btw here is a list) I will split the profit with you of every copy of mcafee or norton or whatever we sell to these customers.
Letter from the ISP with a 20 dollar of coupon for a virus scaner. 'Your computer was recently infected (see attached log)' We recommend that you purchase some software to fix this issue. We recommend software X and here is a coupon for it. Hell some ISPs even give away the software...
It will not fix the problem but there is money to be made fixing it...
Re:They stopped them once. (Score:4, Interesting)
Re:They stopped them once. (Score:4, Interesting)
If that were true, then that might be a good argument to upgrade...
Re:We don't need no stinking backups... (Score:4, Interesting)
Swedish TeliaSonera and it wasn't done directly, they purchased the link through a third party and made sure it was activated just as the weekend started (probably hoping that no one would shut it down before the weekend was over).
/Mikael
how come you say for sure they're in Estonia? (Score:2, Interesting)
(H|Cr)ack attack (Score:4, Interesting)
What I wonder is, why don't some of those white/grey/black hat hackers out there don't try to hijack the botnets, spammers, or the control servers of the spammers and shut that shit down. I'm sure it would be challenging and billions would approve.
The way I see it, spam is a distributed problem that ignores virtually any boundary you can think of, so the solution must be equally pervasive and distributed. Such as an equally (dis)organized group of spammer-attackers. Sure some innocents will probably get nailed, but ain't war hell?
Re:Blue Frog? (Score:4, Interesting)
As far as I can see the only real solution to spam is intelligent filtering, which Google leads the way on: it's got to the point where if a spam mail gets through, I open it it up and have a good look at it to see how the heck it got through.
Re:Please grow up and join the real world (Score:3, Interesting)
Tens of millions of American computers are under the direct control of hostile foreign interests. At any moment, they can be ordered to do anything by those interests, including erasing files, sending financial information, or attacking infrastructure sites. That's a much bigger threat than some guys mouthing off in a bar in Miami about blowing up some building [cnn.com], which got the FBI's full attention.
Why is this still going on? (Score:2, Interesting)
It's pretty obvious to me that it's trivially simple to watch one of these bots cycle through its algorithm, then when it gets a working server site, you trace to that site and find who's running it and cut their balls off as well as their network access. Then watch it happen again, and so on.
That would be a lot smarter than paying tens of thousands of dollars for randomly-generated domain names.
Why are spam-fighters so intent on doing the dumb thing instead of the right thing?
Re:Please grow up and join the real world (Score:2, Interesting)
Or simply killing all those whose machines are infected? And if you think that any of those is acceptable then you surely won't have any objection if/when other nations start behaving that way in your country, will you? I know where most of my spam originates.
I have no problem with the infected machines being killed off, regardless of where the attacker that killed the machine is located or who the attacker is. Just leave some indication of why the machine was killed so I can point to it when charging the customer for re-installing their OS and recovering whatever of their files that you are kind enough to leave for them. A nice little README.txt file explaining "Your machine was a spam spewing zombie in the <botnet name> botnet." will be sufficient.
Re:Further Proof (Score:3, Interesting)
Re:Not really. (Score:3, Interesting)
Yeah, but do you really need to block the whole country?
The bots obviously need to find their home. Most likely this is via either a hard-coded IP, or a DNS lookup. So, just publish whichever one it is and then everybody can blackhole either the DNS entry or the IP address. If the major ISPs do that the bot dies.
Now, if the bot uses IRC or something like that it could get trickier, since blocking that at the protocol level (short of killing an entire irc network) isn't possible. However, the irc network could probably block the appropriate channels.
Re:Further Proof (Score:3, Interesting)
You misunderstand.
Srizbi has an algorithm to generate a pseudo-random domain name from the current date, and looks to that domain for command & control instructions.
The author of the bot has the same algorithm, and can calculate the domain names days and weeks out. Thus, if their c&c server is knocked off the internet, the bot herder just has to register a few domain names that Srizbi will be looking to in the near future.
This has nothing to do with the domain names of the bots themselves, or of the target machines.
Re:domains ? (Score:3, Interesting)
Because Srizbi has an algorithm that generates new pseudo-random domain names based on the current date. If the hard-coded C&C server ever goes down, the bot herder can calculate what domain names Srizbi will be looking to in the near future, and register them to reclaim the botnet (and push an update that changes the hard-coded server)
Technical Details of Srizbis domain generation algorithm [fireeye.com]
Re:Further Proof (Score:3, Interesting)
Worth mentioning, sudo is essentially UAC, only somewhat less annoying. But it's still a broken model.
One thing a lot of Unix daemons get right is, one user per task. Basic, stupidly simple security model -- nothing should have more access than it needs to do its job. Server systems still handle this reasonably well -- small things as root, only where needed. Take Apache -- it's root mostly just to bind port 80; everything else is www-data.
Things like this completely go away with modern desktops. The only two users you deal with most of the time are yourself and root. Not that it matters -- X is full of potential exploits.
Oh, and Windows isn't entirely unrecoverable, though the most effective recovery tools I know of are all Linux-based -- a decent livecd, ntfsclone, etc.
then doing nothing is a crime too (Score:2, Interesting)
surely doing nothing is just like knowing a criminal has done a crime without reporting it, so you are deemed an aid to the crime if you let it happen.
Idiots.
Just do it under the table from a netcafe, and no one will complain, really, no one will, no body, bloody no one!!! Those guys have NO balls.
Re:Why is this still going on? (Score:3, Interesting)
Re:(H|Cr)ack attack (Score:3, Interesting)