Forgot your password?
typodupeerror
Spam Security The Internet

Massive Botnet Returns From the Dead To Spam On 205

Posted by timothy
from the late-entry-for-hallowe'en dept.
CWmike writes "Gregg Keizer reports that the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals, security researchers said today. As of late Tuesday, infected PCs were able to successfully reconnect with new command-and-control servers, which are now based in Estonia, said Fengmin Gong, chief security content officer at FireEye. The comeback confirms what researchers noted last week, that Srizbi had a fallback strategy. So, in the end, that strategy paid off for the criminals who control the botnet."
This discussion has been archived. No new comments can be posted.

Massive Botnet Returns From the Dead To Spam On

Comments Filter:
  • by syousef (465911) on Wednesday November 26, 2008 @04:12PM (#25902667) Journal

    Argh! Zombies!!!!! They're bound to be after brains! Well they'll find none here! Take that you evil zombies.

    • "It took Linda('s e-mail box.) Then it came after (my e-mail box,) it got into my (windows box) and it (turned zombie,) so (we got McColo shutted down.) But that didn't stop it, it came back big time."

  • Further Proof (Score:5, Insightful)

    by MaxwellEdison (1368785) on Wednesday November 26, 2008 @04:13PM (#25902677)
    Further proof that crime doesn't pay. Unless you have a reliable business plan, of course.
    • Re: (Score:2, Funny)

      by internerdj (1319281)
      Tell that to the RIAA.
    • by Lobster Quadrille (965591) on Wednesday November 26, 2008 @04:55PM (#25903099)

      It's nice to see that somebody's IT department has the funding and expertise to implement a backup plan.

      It gives me hope.

    • by nurb432 (527695)

      Or get into politics.

  • by Anonymous Coward on Wednesday November 26, 2008 @04:16PM (#25902707)

    "the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals"

    I'd love to go back in the '50s, find one of those future drawing artists, show him that head news, and ask him to draw what he think that means in the year 2008.

    Hilarity ensue.

  • by Finallyjoined!!! (1158431) on Wednesday November 26, 2008 @04:16PM (#25902709)
    Now do it again. Rinse, repeat, until there's nowhere left for them to host the "command and control" servers.

    The sooner the better. My good:spam ratio is almost 5:95 at the moment :-(
  • by powerslave12r (1389937) on Wednesday November 26, 2008 @04:18PM (#25902727)
    ..most is how efficiently the bad guys always work. Its just astounding.
    • by Yvan256 (722131) on Wednesday November 26, 2008 @04:26PM (#25902799) Homepage Journal

      Well of course. With no worker unions, government bureaucracy or international laws to get in the way, they have it easier than your average law-abiding citizens and companies.

      • Not really. (Score:5, Informative)

        by khasim (1285) <brandioch.conner@gmail.com> on Wednesday November 26, 2008 @04:35PM (#25902915)

        They also have to deal with various groups trying to stop them. As in TFA:

        "We have registered a couple hundred domains," Gong said, "but we made the decision that we cannot afford to spend so much money to keep registering so many [domain] names."

        So the spammers had to have thought about and planned for such a contingency.

        And still bring in enough money to pay for the connections they'll be using to control the zombies.

        The updated Srizbi includes hard-coded references to the Estonian command-and-control servers, but Gong was unaware of any current attempt to convince the firm now hosting those servers to yank them off the Web.

        So while attempting to register the domain names, work was going on to update the zombie software.

        The question now is how to get those hard-coded references to the various ISP's in the world so that they can block traffic to/from them and stop the zombies from updating again.

        Why isn't information such as that ever included in these articles?

    • by Marc Desrochers (606563) on Wednesday November 26, 2008 @04:31PM (#25902877)
      No red tape, no bureaucratic processes, no politics, no concern about being polite and correct about everything. Also, no customer support. It's a wonder what you can accomplish by not giving a shit who you inconvenience. Just get the job done well enough that it works.
      • Re: (Score:3, Insightful)

        by owlnation (858981)

        Also, no customer support. It's a wonder what you can accomplish by not giving a shit who you inconvenience. Just get the job done well enough that it works.

        You mean, "by not even trying to appear as though you give a shit about who you inconvenience".

        If you've tried to contact Customer Support of any corporation (especially any outsourced CS) you know that that company really only pays lip service to the concept. Most corporations only provide just enough CS to be able to show that (massaged) stats re

    • by Brigadier (12956)

      no face of the mob perhaps,,,,

    • how efficiently the bad guys always work.

      Not really - we only ever hear about the efficient ones here. Head on over to Fark [fark.com] (or even Youtube:) to get some examples of bad guys working....inefficiently.

  • by pillowcase1 (878575) on Wednesday November 26, 2008 @04:18PM (#25902729) Homepage
    I know it's off topic, but my machine was running great for a couple weeks... now its all slow again.
  • by Anonymous Monkey (795756) on Wednesday November 26, 2008 @04:19PM (#25902737)
    I have worked in more than a few offices that have no backup plans for when things go wrong; power outs, network outages, supply chain disruptions, and the like would stop work cold. I find it amusing that a band of criminals are running a more flexible and 'professional' operation than many ligament businesses.
    • There are more legitimate businesses than the ones selling snake oil to cure body aches, pains and ligament sprains. Why pick on them, poor sods.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      I have worked in more than a few offices that have no backup plans for when things go wrong; power outs, network outages, supply chain disruptions, and the like would stop work cold. I find it amusing that a band of criminals are running a more flexible and 'professional' operation than many ligament businesses.

      And here I've been wasting my time trying to set up an organ chop shop in Hong Kong!

    • by Culture20 (968837)
      Except these guys didn't have a good backup plan. They had to get Spanish Telesoniara(sp?) to bring McColo's link back up and transfer Terabytes of data to .ru domains. Of course, I bet they do have a good backup plan now.
    • by umghhh (965931)

      to all that has been said about how efficient they work and how they do not have to deal with bureaucracy etc one must add motivation. They are motivated by direct profit and by the fact that if they screw up they are possibly in big trouble and I do not mean lack of bonus at the end of the year.
       

    • I find it amusing that a band of criminals are running a more flexible and 'professional' operation than many ligament businesses.

      Are you implying that none of these guys have any backup procedures? Have you personally contacted all of these guys:

      connective-tissue.com
      Bones-to-bones
      Bones2bones.com
      JointsRus
      bone-glue.com
      Fibrous Tissue Cultures (FTC) Ltd.

      (Interesting aside: if you Google "ligament businesses" the first hit is a page called "Business Representation (Greek Ligament Service)". Those cl

  • by INeededALogin (771371) on Wednesday November 26, 2008 @04:28PM (#25902827) Journal
    ... and a Coke
  • Some Idiots (Score:5, Insightful)

    by Nom du Keyboard (633989) on Wednesday November 26, 2008 @04:28PM (#25902849)
    Is this because some idiot(s) let McColo get back online for a number of hours, or was that fallback already in place before the McColo initial shut down? These major ISP backbone providers reall need to be talking to each other when they blacklist a site so that one rogue provider doesn't undermine the good efforts of all the rest.
    • Re:Some Idiots (Score:4, Informative)

      by Detritus (11846) on Wednesday November 26, 2008 @04:36PM (#25902919) Homepage
      This was because they good guys stopped registering the dynamically generated domain names used by the botnet, allowing the bad guys to register some domain names and regain control.
    • Re:Some Idiots (Score:4, Insightful)

      by damn_registrars (1103043) <damn.registrars@gmail.com> on Wednesday November 26, 2008 @04:38PM (#25902941) Homepage Journal

      Is this because some idiot(s) let McColo get back online for a number of hours, or was that fallback already in place before the McColo initial shut down?

      I would be inclined to believe it to be more of the latter than the former. Why wouldn't the authors of the botnet software want to write something in to allow for the creation of a new botnet control system? These guys aren't idiots, as much as we might like to wish they were. They know that it takes time to amass a botnet, so I would expect they included some way to bring back the botnet, should they get caught somewhere.

      need to be talking to each other when they blacklist a site

      I might be missing something here, but I rather doubt that botnet control comes down to a specific site anywhere. Didn't they just say that the botnet is now controlled from a different country than before? I'm not sure that any amount of activities from major ISP's would be able to be both tolerable to users and capable of restricting the botnets.

    • by Dunbal (464142)

      one rogue provider doesn't undermine the good efforts of all the rest.

            This sort of resilience was the whole point of the internet anyway. Of course, it was never supposed to be used for "Evil" (tm).

    • by gmuslera (3436)
      In fact, are good news. Now the people behind McColo could be judged as at least responsible in part of Srizbi botnet, and that could be read as hacking into millons of PCs. With a bit of luck by the time they get out of jail the sun will be red.
  • OK now... (Score:5, Insightful)

    by damn_registrars (1103043) <damn.registrars@gmail.com> on Wednesday November 26, 2008 @04:30PM (#25902857) Homepage Journal
    Anyone who is surprised by this, raise your hand. If someone was able to write the requisite application to gather the botnet, one would expect the same programmer to have the foresight to write in a way to re-gather and restart the botnet at a later point in time.
    • Re: (Score:3, Insightful)

      by jon3k (691256)
      You mean operators of a massive botnet worth literally MILLIONS of dollars have a backup plan? SHOCKING!

      How is this surprising to anyone? Do you not understand this is a business, illegal or otherwise? Do you not think cocaine smugglers have backup plans too?
  • by confused one (671304) on Wednesday November 26, 2008 @04:30PM (#25902869)
    While the command and control was down, they missed the chance to take out the bots too.
    • by blair1q (305137)

      I was thinking about that.

      It would be neat if the bot writers included an uninstall commmand; then you could hijack the server domain, inject the command, and the network would vaporize itself.

      But of course they don't do that, and they probably know how to write code that isn't vulnerable to external exploits, so you have to go in through a trusted channel on each infected host. Which is what Microsoft's malware thing does.

      And they do that whether the command system is up or down.

      What Microsoft needs to do

      • by LackThereof (916566) on Wednesday November 26, 2008 @09:18PM (#25905327)

        Srizbi will, in fact, accept an uninstall command from a bogus C&C server.

        Lots of stuff about Srizbi [fireeye.com]

        In the course of invesigating Srizbi, researchers had 250,000 bots under their control for a span of a few days. Sending the uninstall command was one of several ways they could have crippled this small portion of Srizbi. But honestly, no citizen has the legal authority to make changes to hundreds of thousands of other people's PCs. Maybe if some law enforcement agencies would get involved, that would be nice. Or at least give blanket immunity to researchers who would do so.

        • More technology isn't always the best way to solve a technological problem. All you really need is a modest bounty on the guys behind it it... say $10 Million for the bodies... errrr....ahhh... arrest, yeah that's it, the arrest... of the guy or guys running a botnet of any size. Cheap, efficient and for a little bit of irony it could be funded out of the Caymans.
  • Soft on terrorism (Score:4, Informative)

    by Animats (122034) on Wednesday November 26, 2008 @04:53PM (#25903085) Homepage

    So where are the US antiterrorism people? This is an attack on US assets by foreign nationals. We have a whole Department of Homeland Security. They had a good computer security guy in charge of dealing with such attacks, Amit Yoran, and he quit in 2004 [computerworld.com], fed up because DHS didn't really want to deal with real problems. His replacement was a career lobbyist [dhs.gov]. Really. "He served as Director of 3Com Corporation's Government Relations Office in Washington, DC where he was responsible for all aspects of the company's strategic public policy formulation and advocacy." That's America's first line of defense against cyberterrorism.

    The FBI has an antiterrorism operation. What are they doing? What they say they're doing is working to "strengthen and support our top operational priorities: counterterrorism, counterintelligence, cyber, and major criminal programs." [fbi.gov] What they're actually doing is flying around the FBI director in the private jet purchased with antiterrorism funds. [wordpress.com]

    FBI testimony before Congress, 2001 [fbi.gov]: "The FBI believes cyber-terrorism, the use of cyber-tools to shut down, degrade, or deny critical national infrastructures, such as energy, transportation, communications, or government services, for the purpose of coercing or intimidating a government or civilian population, is clearly an emerging threat for which its must develop prevention, deterrence, and response capabilities."

    FBI testimony before Congress, 2004 [fbi.gov]: " In the event of a cyberterrorist attack, the FBI will conduct an intense post-incident investigation to determine the source including the motive and purpose of the attack."

    So where's the action?

    Heads need to roll at DHS and the FBI.

    • by blair1q (305137)

      They're busy watching Kazaa for pr0n doctors.

    • by dave420 (699308)
      The main reason is that it's not terrorism. Every time people misuse that word, when real terrorism happens, people don't care as much.
  • Once again we have proof of the value of a disaster recovery plan.

    I would have thought a money mill like that would use an Active/Active failover rather than a cold standby site, but I suppose they have to consider risks versus costs like anybody.

  • You could send an e-mail about command-and-control servers, to our Cyber Defence Center (Küberkaitse Keskus aka KKK) http://en.wikipedia.org/wiki/CCDCOE [wikipedia.org] Estonia is not a big country at all so i think these new servers would be taken down pretty quickly.
  • (H|Cr)ack attack (Score:4, Interesting)

    by Thaelon (250687) on Wednesday November 26, 2008 @05:19PM (#25903353)

    What I wonder is, why don't some of those white/grey/black hat hackers out there don't try to hijack the botnets, spammers, or the control servers of the spammers and shut that shit down. I'm sure it would be challenging and billions would approve.

    The way I see it, spam is a distributed problem that ignores virtually any boundary you can think of, so the solution must be equally pervasive and distributed. Such as an equally (dis)organized group of spammer-attackers. Sure some innocents will probably get nailed, but ain't war hell?

  • by The Master Control P (655590) <`moc.kcahsdren' `ta' `reveekje'> on Wednesday November 26, 2008 @05:20PM (#25903367)
    There is no possible way any ISP would reconnect someone like McColo out of ignorance: TeliaSonera was bribed.
  • Does anyone remember Blue Frog? That was actually [i]working[/i]. Nothing before or since has been anything but a mosquito bite to spammers.

    There was an open source version, Okopipi, in the works for a very brief moment. I think the forum is probably full of weeds and spam now.

    • Re:Blue Frog? (Score:4, Interesting)

      by u38cg (607297) <calum@callingthetune.co.uk> on Wednesday November 26, 2008 @05:55PM (#25903733) Homepage
      The trouble was any kind of central point became a massive juicy target for them, and it would be just the same for an open source project. Bluefrog IIRC ended up just drowning in a tide of DDOSing. Kinda ironic, really :)

      As far as I can see the only real solution to spam is intelligent filtering, which Google leads the way on: it's got to the point where if a spam mail gets through, I open it it up and have a good look at it to see how the heck it got through.

  • That explains why I got higher spam in my inboxes over the last two days. Ugh! :(

  • It's pretty obvious to me that it's trivially simple to watch one of these bots cycle through its algorithm, then when it gets a working server site, you trace to that site and find who's running it and cut their balls off as well as their network access. Then watch it happen again, and so on.

    That would be a lot smarter than paying tens of thousands of dollars for randomly-generated domain names.

    Why are spam-fighters so intent on doing the dumb thing instead of the right thing?

    • Re: (Score:3, Interesting)

      by kvezach (1199717)
      What they should have done was this: Cut the provider's proverbial balls off. Then snap up the next ten or twenty domains. Connect them all to a server that instructs the bots that get there to uninstall themselves. I can see why they didn't, though; they could have been liable for any unintended effects (computers crashing, whatever), which is why that step should ideally have been done by some anonymous or pseudonymous party.
  • I'm a non-(computer) geek.

    Can somebody explain to me how I can tell if my computer is infected by a bot?

    Is there something that will tell me what's running in the background, so I can identify a bot spewing out spam from my system?

    (Yes, I promise to learn linux.)

    • by erikina (1112587)
      There's a whole genre of software [wikipedia.org] for it. But prevention is the best cure. Use the security features of your OS. If you're letting people (especially kids) use your machine, get them their own VM (preferably XP) and full screen it. If you're planning on learning about Linux security, get yourself a copy of Fedora and play (and learn) SELinux.
  • Update (Score:5, Informative)

    by LackThereof (916566) on Wednesday November 26, 2008 @09:53PM (#25905521)

    The Estonia based Command and Control servers have been kicked offline.

    Only one server is still online, based in Frankfurt, Germany; name registered through the Cayman Islands.

    This is not the server that's hard-coded in to the new Srizbi patch, just one of the backup servers supplying it.

    source [fireeye.com]

  • by PPH (736903) on Wednesday November 26, 2008 @10:37PM (#25905747)
    ...the one remaining 4800 baud link between Estonia and the rest of the world was taken down earlier today when IT technicians took control of the phone line to order a pizza.

Save the whales. Collect the whole set.

Working...