[Infowarrior] - Massive botnet returns from the dead

Richard Forno rforno at infowarrior.org
Thu Nov 27 00:02:23 UTC 2008 

Massive botnet returns from the dead, starts spamming
Criminals regain control after security firm stops preemptively  
registering routing domains
Gregg Keizer
  http://www.computerworld.com/action/article.do? 
command=viewArticleBasic&articleId=9121678

November 26, 2008 (Computerworld) A big spam-spewing botnet shut down  
two weeks ago has been resurrected, security researchers said today,  
and is again under the control of criminals.

The "Srizbi" botnet returned from the dead late Tuesday, said Fengmin  
Gong, chief security content officer at FireEye Inc., when the  
infected PCs were able to successfully reconnect with new command-and- 
control servers, which are now based in Estonia.

Srizbi was knocked out more than two weeks ago when McColo Corp., a  
hosting company that had been accused of harboring a wide range of  
criminal activities, was yanked off the Internet by its upstream  
service providers. With McColo down, PCs infected with Srizbi and  
other bot Trojan horses were unable to communicate with their command  
servers, which had been hosted by McColo. As a result, spam levels  
dropped precipitously.

But as other researchers noted last week, Srizbi had a fallback  
strategy. In the end, that strategy paid off for the criminals who  
control the botnet.

According to Gong, when Srizbi bots were unable to connect with the  
command-and-control servers hosted by McColo, they tried to connect  
with new servers via domains that were generated on the fly by an  
internal algorithm. FireEye reverse-engineered Srizbi, rooted out  
that algorithm and used it to predict, then preemptively register,  
several hundred of the possible routing domains.

The domain names, said Gong, were generated on a three-day cycle, and  
for a while, FireEye was able to keep up -- and effectively block  
Srizbi's handlers from regaining control.

"We have registered a couple hundred domains," Gong said, "but we  
made the decision that we cannot afford to spend so much money to  
keep registering so many [domain] names."

Once FireEye stopped preempting Srizbi's makers, the latter swooped  
in and registered the five domains in the next cycle. Those domains,  
in turn, pointed Srizbi bots to the new command-and-control servers,  
which then immediately updated the infected machines to a new version  
of the malware.

"Once each bot was updated, the next command was to send spam," said  
Gong, who noted that the first campaign used a template targeting  
Russian speakers.

The updated Srizbi includes hard-coded references to the Estonian  
command-and-control servers, but Gong was unaware of any current  
attempt to convince the firm now hosting those servers to yank them  
off the Web.

In the meantime, FireEye is working with several other companies --  
including VeriSign Inc., Microsoft Corp. and Network Solutions Inc.,  
a domain registrar -- on ways to reach the more than 100,000 users  
whose PCs FireEye has identified as infected with Srizbi.

Discussions about how to best handle any future McColo-Srizbi  
situation are also ongoing, Gong said. "We're trying to find a  
solution, and talking about ideas of how they can help fund efforts  
for some period of time to [preemptively] register domains," he said.

"Right now, though, we have this window of opportunity to help clean  
all those [100,000] machines," Gong said. "Registering those domains  
was just a way to buy us time. We have to reach those machines to  
clean them up."

Although some message security companies said yesterday that spam  
volumes had climbed back from post-McColo troughs, Gong was hesitant  
to finger Srizbi's return as the reason. "Srizbi may have  
contributed," he said, "but Rustock is also back."

Rustock, another botnet whose command-and-control servers were hosted  
by McColo, was partially restored when a Swedish Internet provider  
briefly stepped in 11 days ago to reconnect McColo to the Web. Even  
though McColo's connection was quickly severed by TeliaSonera after  
it received complaints, Rustock's controllers had enough time to  
instruct some of the bots to look to a Russian-hosted server for  
commands.

More information about the Infowarrior mailing list