Spammers regaining control over Srizbi botnet

by Jeremy Kirk
Be the first to comment | 15I like it!
Tags: botnet, spam
More »
on this topic
November 26, 2008, 09:38 AM —  IDG News Service — 

The zombie computers used to send spam are coming back to life.

Security vendors say spammers are reconnecting with hacked PCs used for sending spam as evidenced by a rising number of spam messages circulating on the Internet the last few days. Spam levels suddenly dropped two weeks ago after the shutdown of McColo, a rogue ISP (Internet Service Provider) based in San Jose, California, whose connectivity was used to control networks of hundreds of thousands of computers to send spam, known as botnets.

Computers that are part of the Srizbi botnet -- which by some estimates sent nearly half of the world's spam -- are apparently becoming active again, according to researchers from FireEye.

"Srizbi has returned from the dead and has begun updating all its bots with a fresh, new binary," according to a blog post on Tuesday by Atif Mushtaq and Alex Lanstein of FireEye. "The worldwide update began just a few hours ago."

Srizbi's computers were controlled by spammers through McColo's network. When McColo was shut down, those computers tried to call back and get new instructions to send spam. But the botnet operators are clever and created a way to get those machines back if they were stranded.

FireEye researchers essentially did an autopsy on Srizbi's code. They found that the hackers put in an algorithm that dynamically generates a domain name from which a compromised computer could fetch new instructions.

The hackers could then register that domain name and put instructions there to tell the compromised PC to go to a different command-and-control server -- not McColo's -- for new instructions.

Since FireEye figured out how the algorithm worked, the company registered the gibberish domain names, such as "auaopagr.com," that algorithm generated. When those machines reported for duty, there were no instructions. But FireEye couldn't keep preempting the spammers forever by buying domain names.

Now the compromised computers are connecting to domain names registered by the spammers and getting updated code, including templates for new spam campaigns. The new command-and-control servers are in Estonia and the domain names are being bought from a registrar in Russia, FireEye said.

Srizbi at one time amounted to more than 450,000 PCs, and it remains to be seen how many of those machines have updated code. But three other botnets that were controlled via McColo -- Rustock, Cutwail and Asprox -- all appear to also be coming back online.

Dmitry Samosseiko of computer security vendor Sophos wrote on Wednesday that spam levels suddenly surged earlier this week, due in part to the resurgence of the Rustock botnet.

McColo's connectivity was briefly restored by mistake by TeliaSonora, and the precious few hours online allowed spammers to tell computers infected with Rustock where to go for new instructions.

Antispam vendor MessagLabs, which was recently acquired by Symantec, hasn't noted a rise in spam associated with Srizbi, said Paul Wood, senior analyst based in their U.K. offices.

Wood said MessageLabs analyzes spam that ends up in the inboxes of its 8 million users and it may be that Srizbi is either not up to speed yet or changed how it targets people.

But MessageLabs has noticed an uptick in spam coming from Rustock, Cutwail and Asprox, which would indicate those botnets are picking up Srizbi's slack.

"Like any sort of business if your courier goes down or goes on strike, you find an alternative provider," Wood said.

Still, spam levels are around 40 percent of what they were before McColo went down, Wood said.

IDG News Service

I like it!
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
Free books

Essential JavaFX
Get started building rich Web apps quickly with an introduction to the power of JavaFX key features -- scene node graphs, nodes as components, the coordinate system, layout options, colors and gradients, custom classes with inheritance, animation, binding, and event handlers.Enter now!

The Nomadic Developer
Consulting can be hugely rewarding, but it's easy to fail if you are unprepared. To succeed, you need a mentor who knows the lay of the land. Aaron Erickson is your mentor, and this is your guidebook. Enter now!

Featured Sponsor
Case Study: AISO grows its "green" business

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

Download this white paper »
Myth of the Million Dollar Database

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

Download this white paper »
Success Story: Weather.com handles whatever nature serves up

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Download this white paper »
Marketplace