Estonian ISP cuts off control servers for Srizbi botnet
An Estonian ISP that temporarily hosted the command-and-control servers for the Srizbi botnet, responsible for a large portion of the world's spam, has cut off those servers, according to computer security analysts.
Starline Web Services, based in Estonia's capital Tallinn, had hosted four domain names identified as the control points for Srizbi, according to researchers from computer security firm FireEye.
Hundreds of thousands of PCs around the world infected with Srizbi, a difficult-to-remove rootkit that is used for sending spam, were programmed to seek new instructions from servers in those domains.
Srizbi is considered one of the more powerful botnets, with at least 450,000 PCs infected. It is estimated that half of the world's spam originated from computers infected with Srizbi. Spam remains a profitable business for cybercriminals.
But spammers lost control of Srizbi when the ISP that previously hosted its command-and-control servers was cut off from the Internet. McColo, whose servers are based in San Jose, California, was cut off by its upstream providers earlier this month after being exposed by computer security experts and the Washington Post.
That left spammers unable to control Srizbi-infected computers. But Srizbi's code contained a fallback mechanism where spammers could reconnect with the stranded machines if such a scenario occurred.
An algorithm within Srizbi would periodically generate new domain names where the malware would look for new instructions if those domains were live on the Internet. Armed with that same algorithm, the spammers had only to register the appropriate domain names and point them to their servers.
The spammers, however, needed a new ISP to host those servers, at least for a while. They found Starline Web Services, a very small ISP, but that provider has since also cut them off.
"I was satisfied that those sites were closed down," said Hillar Aarelaid, chief security officer for Estonia's Computer Emergency Response Team (CERT), on Thursday.
Attempts to contact Starline Web Services were unsuccessful. But Aarelaid said CERT has been in contact with the company, and it does appear to be responsive to complaints about abuse.
Starline Web Services buys its connectivity from Compic, another Estonian company. Compic has been flagged by Estonia's CERT as having Web sites hosting malicious software, said Tarmo Randel, an information security expert at the organization.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
security
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
