November 18, 2008, 4:47 PM — The shutdown last week of a U.S.-based Web hosting company crippled more than 500,000 bots, or compromised computers, which no longer are able to receive commands from criminals, a security researcher said Tuesday.
Although the infected PCs are still operational, the previously-planted malware that tells them what to do cannot receive instructions because of the shutdown last week of McColo Corp.
"Half a million bots are either offline or not communicating" with their command-and-control servers, estimated Joe Stewart, director of malware research at SecureWorks Inc.
The California firm was disconnected from the Internet by its upstream service providers at the urging of researchers who believed the company's servers hosted a staggering amount of cybercriminal activity, including the command-and-control servers of some of the planet's biggest botnets. Those collections of infected PCs were responsible for as much as 75% of the spam sent worldwide; when McColo went dark, spam volumes dropped by more than 40% in a matter of hours.
The McColo takedown resulted in a record number of bots being severed from their hacker controllers by any single event, Stewart said. He compared it to last September, when Microsoft 's anti-malware utility, the Malicious Software Removal Tool (MSRT), purged nearly 300,000 infected PCs of the infamous Storm Trojan.
"That had a good impact, but it didn't stop the flow of spam globally," Stewart said of the MSRT takedown. "It didn't make a difference to other botnets that were still spamming away."
Knocking McColo offline, on the other hand, disrupted at least two major botnets -- "Rustock" and "Srizbi" -- said Stewart, and caused spam to plummet around the globe.
Stewart, a leading authority on botnets, estimated the strength of the top 11 botnets last April. Srizbi, at 315,000 bots, was No. 1 in his census, while Rustock, at 150,000, was in the No. 3 spot.
Rustock's handlers, said Stewart, may never recover control of their bots. "It does look like they're lost to them," he said, noting that those bots lack a failsafe for reconnecting with a command-and-control server if it does dark, as happened when McColo's plug was pulled.
But while Rustock's bots may be orphaned, there's a chance the Srizbi's bots can be brought back under control. "When Srizbi bots can't connect, as a backup they're coded to try other domain names," to search for new command-and-control servers, said Stewart. Those domains, however, were recently registered, perhaps pre-emptively by a security researcher who had rooted through the Srizbi code.
"They're not receiving new instructions," Stewart said. That would indicate that a third-party -- someone who didn't have the Srizbi source code, and thus a way to figure out the protocols for sending new orders to the disconnected bots -- may have snatched up the domain names.
It may be the case, though, that Srizbi's creators thought of that, and that any fall-back domain names are not hard-coded into the bot but are generated using an algorithm of some sort. "If Srizbi is programming intelligently enough so it not only says, 'I'm going to try some new domain names,' but also 'if that new server is not sending valid data, then generate another domain name,' maybe they can be recovered," Stewart speculated.
Also helping Srizbi in the wake of the takedown, Stewart added, is that it used a more compartmentalized structure -- it's essentially a collection of smaller botnets that at some levels are shared -- which in turn meant that not all its command-and-control servers were hosted by McColo.
And not all botnets have been affected equally, Stewart said. "Bobax and Cutwail, they're still spamming," he said. In his April estimate, Bobax was No. 2 out of the 11 botnets, accounting for approximately 185,000 PCs, while Cutwail was No. 4, with 125,000 bots.
Worse, even if the Rustock and Srizbi bots have been permanently cut off from their criminal overlords, it doesn't mean the end of those botnets. It's all too easy for criminals to buy compromised computers from others, or simply seed their malware in a major campaign to infect new systems.
"I'm sure they'll be back," said Stewart.
