Massive Botnet Returns From the Dead To Spam On

CWmike writes "Gregg Keizer reports that the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals, security researchers said today. As of late Tuesday, infected PCs were able to successfully reconnect with new command-and-control servers, which are now based in Estonia, said Fengmin Gong, chief security content officer at FireEye. The comeback confirms what researchers noted last week, that Srizbi had a fallback strategy. So, in the end, that strategy paid off for the criminals who control the botnet."

Zombies!!!!!

[syousef]

Argh! Zombies!!!!! They're bound to be after brains! Well they'll find none here! Take that you evil zombies.

As Ash said in the Army of Darkness flick...

[Lead Butthead]

"It took Linda('s e-mail box.) Then it came after (my e-mail box,) it got into my (windows box) and it (turned zombie,) so (we got McColo shutted down.) But that didn't stop it, it came back big time."

Re:Random crashes

[RiotingPacifist]

They're not random dammit! they always occur where the real part is a half, well the non-trivial crashes anyway.

Re:

[X0563511]

The random crashes will occur until you install Linux. You see, Linux is the fix for the random crashing!

</tongue-in-cheek>

Random or crashing?

[mi]

You see, Linux is the fix for the random crashing!

Which part of "random crashing" is alleviated by Linux? The "random" or the "crashing"?

Re:

[X0563511]

Some days, I think you get to pick one.

But that's only sometimes.

Truth be told, the only problems I've ever had were directly my fault, and what I was doing was usually highly unusual or warned against.

Further Proof

[MaxwellEdison]

Further proof that crime doesn't pay. Unless you have a reliable business plan, of course.

Re:

[internerdj]

Tell that to the RIAA.

Re:Further Proof

[Lobster Quadrille]

It's nice to see that somebody's IT department has the funding and expertise to implement a backup plan.

It gives me hope.

Re:

[nurb432]

Or get into politics.

Re:Further Proof

[damn_registrars]

the alg it uses to get domain names

Why would botnet harvesting be done by domain name anyways? Wouldn't it be easier to collect systems by just running through accessible IP addresses?

And if the botnets are doing double duty by both propagating spam and attempting to hack into systems via ssh, I can tell you from my IP logs at home that most systems in the botnets aren't behind any particular domains.

On top of that, how many languages would you want to sell antivirus software in?

Re:

[Jason Hildebrand]

Why would botnet harvesting be done by domain name anyways? Wouldn't it be easier to collect systems by just running through accessible IP addresses?

RTFA. The bots are generating domain names which they then attempt to contact in order to re-connect with botnet control.

It's very clever, really. The algorithm can generate a near-endless list of domain names, and all the botnet owners have to do is register one of them and set it up to respond to the bots.

On the other hand, in order to block this attempt by the bots to re-connect with the botnet owner, you have to pre-emptively register ALL domains which the algorithm generates. So in the long run, it'

Re:

[LackThereof]

You misunderstand.

Srizbi has an algorithm to generate a pseudo-random domain name from the current date, and looks to that domain for command & control instructions.

The author of the bot has the same algorithm, and can calculate the domain names days and weeks out. Thus, if their c&c server is knocked off the internet, the bot herder just has to register a few domain names that Srizbi will be looking to in the near future.

This has nothing to do with the domain names of the bots themselves, or of the

Re:

[plover]

So if we used that algorithm ourselves and just started querying a seedy registrar for these domain names, they'd squat them all in advance. Then we could query some of the other seedy registrars, who would check with the first domain squatter, who would then jack up his prices so high the botherders couldn't afford them anymore.

Sounds like killing two birds with one stone, if you ask me.

Re:

[orangesquid]

Why can't someone honeypot a bot, move the system time forward and intercept NTP queries, and watch the traffic to see what DNS queries it generates?
[Sorry for the bad grammar, grammar nazis need not reply]

Re:

[ArsenneLupin]

Why can't someone honeypot a bot, move the system time forward and intercept NTP queries, and watch the traffic to see what DNS queries it generates?

Actually, they managed to do better than that: they reverse-engineered the algorithm, and didn't even need to VM a bot.

However, where the plan failed was not in guessing the domain names, but in coming up with enough money to preemptively register them...

Re:Further Proof

[julian67]

Actually there isn't money to be made this way because all those unhappy customers demanding refunds will be expensive. The idea that you can clean an infected Windows PC by installing product A or B or C is mistaken. The whole idea that security is a boxed product or is available by clicking an .exe/.msi installer is bogus. Assuming that the malware on these infected computers is even known to the AV companies (and that's no longer a reasonable assumption in most cases) then the only way to actually remove it effectively is by running the AV tools from read only media, i.e. a live CD. Well designed malware will simply disallow the installation/use/updating of common AV software. The malware authors are streets ahead of the "security" vendors. The AV products installed on a clean machine can't even prevent many of these problems let alone cure them. Most Windows users would be better advised to save their pennies and re-install from original media, always be patched and up to date (applications as well as OS), run as unprivileged user with strong passwords on all accounts and browse only with Firefox + privoxy + noscript + adblock. That isn't perfect but it's zero financial cost and way more effective than anything Symantec, McAfee etc can offer. Unfortunately running Windows with an unprivileged account is as convenient as toothache.

Re:Further Proof

[jargon82]

I've been running my windows XP laptop as non-admin for over 2 years. It's not as bad as you say. Two things keep me going. Superior SU, found here: http://www.stefan-kuhr.de/supsu/main.php3 [stefan-kuhr.de] and make me admin, found here: http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx [msdn.com]. Between the two, running non-admin is quite comfortable with a bit of practice.

Re:Further Proof

[blhack]

A little windows trickery:

Right click on internet explorer and click "Run As" run it as admin.
type C:\ into the address bar. Navigate to whatever folder the programs you want to run are in and run them. Anything that spawns from here will be running as admin.

Re:

[julian67]

There's a lot more to it than launching applications. Even then it's unsatisfactory in many ways. It's extremely inconvenient to have to run an application as admin and have all the output non-executable and non-writable for other users...one more crappy task to fix all the permissions after every run. Anyway there are many applications which simply don't work with run as. The previous poster who linked to Super SU was nearer the mark. Windows user model works fine for users with no local admin rights wo

Re:

[SanityInAnarchy]

Worth mentioning, sudo is essentially UAC, only somewhat less annoying. But it's still a broken model.

One thing a lot of Unix daemons get right is, one user per task. Basic, stupidly simple security model -- nothing should have more access than it needs to do its job. Server systems still handle this reasonably well -- small things as root, only where needed. Take Apache -- it's root mostly just to bind port 80; everything else is www-data.

Things like this completely go away with modern desktops. The only t

Going back in time ...

[Anonymous Coward]

"the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals"

I'd love to go back in the '50s, find one of those future drawing artists, show him that head news, and ask him to draw what he think that means in the year 2008.

Hilarity ensue.

Re:Going back in time ...

[DahGhostfacedFiddlah]

Never fails - I never have mod points when I see posts worthy of them.

Re:

[DahGhostfacedFiddlah]

Okay, maybe I'm a bit slow, but someone's going to have to explain the joke in that post. +4 Funny? Seriously?

Re:Going back in time ...

[Reality Master 101]

I don't know what he'd draw, but I know it'd be covered in chrome. :)

Re:Going back in time ...

[denis-The-menace]

I guess it would a giant, dilapidated 50's-style robot vomiting a stream of cans of spams to crowds of innocent people.

Re:

[jollyreaper]

"the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals"

I'd love to go back in the '50s, find one of those future drawing artists, show him that head news, and ask him to draw what he think that means in the year 2008.

Hell, just go back to the 60's and hand it to Mr. Crumb. I'm sure it would be filthy and funny by turns.

Re:

[MaxwellEdison]

Heck, just send it in to Exploding Dog [explodingdog.com]. I can't foresee any interpretation which would not range from surreal to hillarious.

They stopped them once.

[Finallyjoined!!!]

Now do it again. Rinse, repeat, until there's nowhere left for them to host the "command and control" servers.

The sooner the better. My good:spam ratio is almost 5:95 at the moment :-(

Re:They stopped them once.

[snowraver1]

If by 5:95 you mean 1:19. Didn't your math teacher teach you to reduce your fractions/ratios?

Re:They stopped them once.

[armanox]

Actually mine told me not to reduce, as it helps to see where they came from.

Re:

[X0563511]

My brain refuses to simplify, reduce, or factor. I don't know why, nothing else really gives me the trouble.

Re:

[Liath]

I think you mean 52429 : 1048576

Re:They stopped them once.

[smittyoneeach]

Will switching to IPv6 make the bot nets more transparent to those trying to defend the intertubes?
If that were true, then that might be a good argument to upgrade...

Re:

[jon3k]

We running about 99.9% on the year so consider yourself very lucky. We're using Ironport gateways for what it's worth.

Re:

[sa1lnr]

I read that they had. Servers in Estonia shutdown quickly but one left up in Germany.

http://www.theregister.co.uk/2008/11/26/srizbi_returns_from_dead/ [theregister.co.uk]

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:What intriques me...

[Yvan256]

Well of course. With no worker unions, government bureaucracy or international laws to get in the way, they have it easier than your average law-abiding citizens and companies.

Not really.

[khasim]

They also have to deal with various groups trying to stop them. As in TFA:

"We have registered a couple hundred domains," Gong said, "but we made the decision that we cannot afford to spend so much money to keep registering so many [domain] names."

So the spammers had to have thought about and planned for such a contingency.

And still bring in enough money to pay for the connections they'll be using to control the zombies.

The updated Srizbi includes hard-coded references to the Estonian command-and-control servers, but Gong was unaware of any current attempt to convince the firm now hosting those servers to yank them off the Web.

So while attempting to register the domain names, work was going on to update the zombie software.

The question now is how to get those hard-coded references to the various ISP's in the world so that they can block traffic to/from them and stop the zombies from updating again.

Why isn't information such as that ever included in these articles?

Re:

[Rich0]

Yeah, but do you really need to block the whole country?

The bots obviously need to find their home. Most likely this is via either a hard-coded IP, or a DNS lookup. So, just publish whichever one it is and then everybody can blackhole either the DNS entry or the IP address. If the major ISPs do that the bot dies.

Now, if the bot uses IRC or something like that it could get trickier, since blocking that at the protocol level (short of killing an entire irc network) isn't possible. However, the irc network

Re:What intriques me...

[Marc Desrochers]

No red tape, no bureaucratic processes, no politics, no concern about being polite and correct about everything. Also, no customer support. It's a wonder what you can accomplish by not giving a shit who you inconvenience. Just get the job done well enough that it works.

Re:

[owlnation]

Also, no customer support. It's a wonder what you can accomplish by not giving a shit who you inconvenience. Just get the job done well enough that it works.

You mean, "by not even trying to appear as though you give a shit about who you inconvenience".

If you've tried to contact Customer Support of any corporation (especially any outsourced CS) you know that that company really only pays lip service to the concept. Most corporations only provide just enough CS to be able to show that (massaged) stats re

Re:

[Brigadier]

no face of the mob perhaps,,,,

Sample bias

[DahGhostfacedFiddlah]

how efficiently the bad guys always work.

Not really - we only ever hear about the efficient ones here. Head on over to Fark [fark.com] (or even Youtube:) to get some examples of bad guys working....inefficiently.

Thats strange...

[pillowcase1]

I know it's off topic, but my machine was running great for a couple weeks... now its all slow again.

Re:

[pipingguy]

Vista is NOT an XP upgrade.

Re:

[dch24]

I wonder if the gmail admins are trying to ID mail sender IPs based on the noticeable traffic pattern of the last few weeks...

We don't need no stinking backups...

[Anonymous Monkey]

I have worked in more than a few offices that have no backup plans for when things go wrong; power outs, network outages, supply chain disruptions, and the like would stop work cold. I find it amusing that a band of criminals are running a more flexible and 'professional' operation than many ligament businesses.

Businesses

[140Mandak262Jamuna]

There are more legitimate businesses than the ones selling snake oil to cure body aches, pains and ligament sprains. Why pick on them, poor sods.

Re:

[Anonymous Coward]

I have worked in more than a few offices that have no backup plans for when things go wrong; power outs, network outages, supply chain disruptions, and the like would stop work cold. I find it amusing that a band of criminals are running a more flexible and 'professional' operation than many ligament businesses.

And here I've been wasting my time trying to set up an organ chop shop in Hong Kong!

Re:

[Culture20]

Except these guys didn't have a good backup plan. They had to get Spanish Telesoniara(sp?) to bring McColo's link back up and transfer Terabytes of data to .ru domains. Of course, I bet they do have a good backup plan now.

Re:We don't need no stinking backups...

[mikael_j]

Swedish TeliaSonera and it wasn't done directly, they purchased the link through a third party and made sure it was activated just as the weekend started (probably hoping that no one would shut it down before the weekend was over).

/Mikael

Re:

[umghhh]

to all that has been said about how efficient they work and how they do not have to deal with bureaucracy etc one must add motivation. They are motivated by direct profit and by the fact that if they screw up they are possibly in big trouble and I do not mean lack of bonus at the end of the year.
 

Re:

[JakartaDean]

I find it amusing that a band of criminals are running a more flexible and 'professional' operation than many ligament businesses.

Are you implying that none of these guys have any backup procedures? Have you personally contacted all of these guys:

connective-tissue.com
Bones-to-bones
Bones2bones.com
JointsRus
bone-glue.com
Fibrous Tissue Cultures (FTC) Ltd.

(Interesting aside: if you Google "ligament businesses" the first hit is a page called "Business Representation (Greek Ligament Service)". Those cl

Re:We don't need no stinking backups...

[Anonymous Monkey]

AAHHAAAHH!!! My ham string!!! Make the burning stop!!!

Re:

[syncmaster955]

AAHHAAAHH!!! My ham string!!! Make the burning stop!!!

Did you mean: Spam string?

Re:

[Anonymous Monkey]

Did you mean: Spam string?

Ok how about "AAHHAAHH!!! My spam string!!! Make the flaming stop!!!

A McColo with Fries

[INeededALogin]

... and a Coke

Some Idiots

[Nom du Keyboard]

Is this because some idiot(s) let McColo get back online for a number of hours, or was that fallback already in place before the McColo initial shut down? These major ISP backbone providers reall need to be talking to each other when they blacklist a site so that one rogue provider doesn't undermine the good efforts of all the rest.

Re:Some Idiots

[Detritus]

This was because they good guys stopped registering the dynamically generated domain names used by the botnet, allowing the bad guys to register some domain names and regain control.

Re:Some Idiots

[damn_registrars]

Is this because some idiot(s) let McColo get back online for a number of hours, or was that fallback already in place before the McColo initial shut down?

I would be inclined to believe it to be more of the latter than the former. Why wouldn't the authors of the botnet software want to write something in to allow for the creation of a new botnet control system? These guys aren't idiots, as much as we might like to wish they were. They know that it takes time to amass a botnet, so I would expect they included some way to bring back the botnet, should they get caught somewhere.

need to be talking to each other when they blacklist a site

I might be missing something here, but I rather doubt that botnet control comes down to a specific site anywhere. Didn't they just say that the botnet is now controlled from a different country than before? I'm not sure that any amount of activities from major ISP's would be able to be both tolerable to users and capable of restricting the botnets.

Re:

[Dunbal]

one rogue provider doesn't undermine the good efforts of all the rest.

      This sort of resilience was the whole point of the internet anyway. Of course, it was never supposed to be used for "Evil" (tm).

Re:

[gmuslera]

In fact, are good news. Now the people behind McColo could be judged as at least responsible in part of Srizbi botnet, and that could be read as hacking into millons of PCs. With a bit of luck by the time they get out of jail the sun will be red.

OK now...

[damn_registrars]

Anyone who is surprised by this, raise your hand. If someone was able to write the requisite application to gather the botnet, one would expect the same programmer to have the foresight to write in a way to re-gather and restart the botnet at a later point in time.

Re:

[jon3k]

You mean operators of a massive botnet worth literally MILLIONS of dollars have a backup plan? SHOCKING!

How is this surprising to anyone? Do you not understand this is a business, illegal or otherwise? Do you not think cocaine smugglers have backup plans too?

They missed the chance

[confused one]

While the command and control was down, they missed the chance to take out the bots too.

Re:

[blair1q]

I was thinking about that.

It would be neat if the bot writers included an uninstall commmand; then you could hijack the server domain, inject the command, and the network would vaporize itself.

But of course they don't do that, and they probably know how to write code that isn't vulnerable to external exploits, so you have to go in through a trusted channel on each infected host. Which is what Microsoft's malware thing does.

And they do that whether the command system is up or down.

What Microsoft needs to do

Re:They missed the chance

[LackThereof]

Srizbi will, in fact, accept an uninstall command from a bogus C&C server.

Lots of stuff about Srizbi [fireeye.com]

In the course of invesigating Srizbi, researchers had 250,000 bots under their control for a span of a few days. Sending the uninstall command was one of several ways they could have crippled this small portion of Srizbi. But honestly, no citizen has the legal authority to make changes to hundreds of thousands of other people's PCs. Maybe if some law enforcement agencies would get involved, that would be nice. Or at least give blanket immunity to researchers who would do so.

Re:

[Have Brain Will Rent]

More technology isn't always the best way to solve a technological problem. All you really need is a modest bounty on the guys behind it it... say $10 Million for the bodies... errrr....ahhh... arrest, yeah that's it, the arrest... of the guy or guys running a botnet of any size. Cheap, efficient and for a little bit of irony it could be funded out of the Caymans.

Wish my employer took catastrophe planning this

[mkcmkc]

seriously... :-(

Soft on terrorism

[Animats]

So where are the US antiterrorism people? This is an attack on US assets by foreign nationals. We have a whole Department of Homeland Security. They had a good computer security guy in charge of dealing with such attacks, Amit Yoran, and he quit in 2004 [computerworld.com], fed up because DHS didn't really want to deal with real problems. His replacement was a career lobbyist [dhs.gov]. Really. "He served as Director of 3Com Corporation's Government Relations Office in Washington, DC where he was responsible for all aspects of the company's strategic public policy formulation and advocacy." That's America's first line of defense against cyberterrorism.

The FBI has an antiterrorism operation. What are they doing? What they say they're doing is working to "strengthen and support our top operational priorities: counterterrorism, counterintelligence, cyber, and major criminal programs." [fbi.gov] What they're actually doing is flying around the FBI director in the private jet purchased with antiterrorism funds. [wordpress.com]

FBI testimony before Congress, 2001 [fbi.gov]: "The FBI believes cyber-terrorism, the use of cyber-tools to shut down, degrade, or deny critical national infrastructures, such as energy, transportation, communications, or government services, for the purpose of coercing or intimidating a government or civilian population, is clearly an emerging threat for which its must develop prevention, deterrence, and response capabilities."

FBI testimony before Congress, 2004 [fbi.gov]: " In the event of a cyberterrorist attack, the FBI will conduct an intense post-incident investigation to determine the source including the motive and purpose of the attack."

So where's the action?

Heads need to roll at DHS and the FBI.

Re:

[blair1q]

They're busy watching Kazaa for pr0n doctors.

Re:

[dave420]

The main reason is that it's not terrorism. Every time people misuse that word, when real terrorism happens, people don't care as much.

Re:

[Animats]

You are receiving spam not nuclear weapons, you idiot. It's not terrorism.

Tens of millions of American computers are under the direct control of hostile foreign interests. At any moment, they can be ordered to do anything by those interests, including erasing files, sending financial information, or attacking infrastructure sites. That's a much bigger threat than some guys mouthing off in a bar in Miami about blowing up some building [cnn.com], which got the FBI's full attention.

Re:

[WTF Chuck]

Or simply killing all those whose machines are infected? And if you think that any of those is acceptable then you surely won't have any objection if/when other nations start behaving that way in your country, will you? I know where most of my spam originates.

I have no problem with the infected machines being killed off, regardless of where the attacker that killed the machine is located or who the attacker is. Just leave some indication of why the machine was killed so I can point to it when charging the customer for re-installing their OS and recovering whatever of their files that you are kind enough to leave for them. A nice little README.txt file explaining "Your machine was a spam spewing zombie in the <botnet name> botnet." will be sufficient.

Disaster Recovery

[centron]

Once again we have proof of the value of a disaster recovery plan.

I would have thought a money mill like that would use an Active/Active failover rather than a cold standby site, but I suppose they have to consider risks versus costs like anybody.

how come you say for sure they're in Estonia?

[tankadin]

You could send an e-mail about command-and-control servers, to our Cyber Defence Center (Küberkaitse Keskus aka KKK) http://en.wikipedia.org/wiki/CCDCOE [wikipedia.org] Estonia is not a big country at all so i think these new servers would be taken down pretty quickly.

(H|Cr)ack attack

[Thaelon]

What I wonder is, why don't some of those white/grey/black hat hackers out there don't try to hijack the botnets, spammers, or the control servers of the spammers and shut that shit down. I'm sure it would be challenging and billions would approve.

The way I see it, spam is a distributed problem that ignores virtually any boundary you can think of, so the solution must be equally pervasive and distributed. Such as an equally (dis)organized group of spammer-attackers. Sure some innocents will probably get nailed, but ain't war hell?

Re:

[Yvanhoe]

While looking for informations on Code Green, I came accross this 2002 Black hat conference that discusses the possibility of back striking an attacker in the case of the Nimda worm epidemic. http://www.blackhat.com/presentations/bh-asia-02/bh-asia-02-mullen.pdf [blackhat.com] You may be interested by this presentation.

Money was involved...

[The Master Control P]

There is no possible way any ISP would reconnect someone like McColo out of ignorance: TeliaSonera was bribed.

Re:

[Antique Geekmeister]

Are you under the impression that ISP's cannot be bribed, confused, or flat out lied to using stolen credit card information? Boy, I wish I had your ISP to tell me what singles ads are lying about.

Re:Money was involved...

[afidel]

More like duped, they bought the backup link through a reseller a long time ago and never activated it till Sat 11/15.

Blue Frog?

[MrNougat]

Does anyone remember Blue Frog? That was actually [i]working[/i]. Nothing before or since has been anything but a mosquito bite to spammers.

There was an open source version, Okopipi, in the works for a very brief moment. I think the forum is probably full of weeds and spam now.

Re:Blue Frog?

[u38cg]

The trouble was any kind of central point became a massive juicy target for them, and it would be just the same for an open source project. Bluefrog IIRC ended up just drowning in a tide of DDOSing. Kinda ironic, really :)

As far as I can see the only real solution to spam is intelligent filtering, which Google leads the way on: it's got to the point where if a spam mail gets through, I open it it up and have a good look at it to see how the heck it got through.

Re:

[LackThereof]

problem with blue frog was that, while it did work, it leeched other people's bandwidth to perform dDoS with.

You're wrong.

the bluefrog client submitted one complaint report for each relevant spam that client's machine received. If you didn't receive that spam and forward it to Blue Frog, your box wouldn't send out anything. Likewise, no one else's box would send out complaints for spam that you received.

Some could describe it as a ddos, but blue frog actually throttled itself to keep from knocking people off the internet. Complaints were sent out gradually over a couple of days, rather than having all the clien

No wonder!

[antdude]

That explains why I got higher spam in my inboxes over the last two days. Ugh! :(

Why is this still going on?

[blair1q]

It's pretty obvious to me that it's trivially simple to watch one of these bots cycle through its algorithm, then when it gets a working server site, you trace to that site and find who's running it and cut their balls off as well as their network access. Then watch it happen again, and so on.

That would be a lot smarter than paying tens of thousands of dollars for randomly-generated domain names.

Why are spam-fighters so intent on doing the dumb thing instead of the right thing?

Re:

[kvezach]

What they should have done was this: Cut the provider's proverbial balls off. Then snap up the next ten or twenty domains. Connect them all to a server that instructs the bots that get there to uninstall themselves. I can see why they didn't, though; they could have been liable for any unintended effects (computers crashing, whatever), which is why that step should ideally have been done by some anonymous or pseudonymous party.

Stupid question

[nbauman]

I'm a non-(computer) geek.

Can somebody explain to me how I can tell if my computer is infected by a bot?

Is there something that will tell me what's running in the background, so I can identify a bot spewing out spam from my system?

(Yes, I promise to learn linux.)

Re:

[erikina]

There's a whole genre of software [wikipedia.org] for it. But prevention is the best cure. Use the security features of your OS. If you're letting people (especially kids) use your machine, get them their own VM (preferably XP) and full screen it. If you're planning on learning about Linux security, get yourself a copy of Fedora and play (and learn) SELinux.

Update

[LackThereof]

The Estonia based Command and Control servers have been kicked offline.

Only one server is still online, based in Frankfurt, Germany; name registered through the Cayman Islands.

This is not the server that's hard-coded in to the new Srizbi patch, just one of the backup servers supplying it.

source [fireeye.com]

In related news ...

[PPH]

...the one remaining 4800 baud link between Estonia and the rest of the world was taken down earlier today when IT technicians took control of the phone line to order a pizza.

Re:

[Marc Desrochers]

Probably because "Shut me down and your family is dead"

This is organized crime after all.

Re:Aim for the head ...

[sexconker]

You don't have much experience battling hydras, do you?

Re:

[powerlord]

You don't have much experience battling hydras, do you?

No, but I hear a wall of Fire can be helpful.

Re:

[maxume]

Nice troll.

I think it might be more accurate to say if only they had a strategy.

Re:

[LandDolphin]

I am sure de does, much like the criminals who control the botnet had a fallback strategy to help them, not the public.

Re:

[u38cg]

I've had a similar experience. I moved to gmail for the legendary spam handling when I crossed the 2000/month barrier; I peaked at 3500 and now I'm under 500 per month. Someone is doing something right. Interestingly, I has actually gone up over the last few weeks, not down.

Re:

[mrand]

I always had ~1200 mails in my gmail spam folder (ie: spam received in the last 30 days)

(until today, at least,) it has been shrinking in the last two weeks, and has (atm) 950 mail... I'll let the party begin again, and see if this number goes up again.

Write back when it has over 8100 in it (since Sun, Oct 19, 2008). The price of having the same email address for over 12 years: average of roughly 9 messages per hour that land in the spam folder. Short term average (just today) is about the same... 9 to 10 per hour.

If we would have somehow guessed the onslaught of junk email we'd have to endure back then, mailing lists and the like would have been set up differently back then.

Marc

Re:

[LackThereof]

Because Srizbi has an algorithm that generates new pseudo-random domain names based on the current date. If the hard-coded C&C server ever goes down, the bot herder can calculate what domain names Srizbi will be looking to in the near future, and register them to reclaim the botnet (and push an update that changes the hard-coded server)

Technical Details of Srizbis domain generation algorithm [fireeye.com]