Massive Botnet Returns From the Dead To Spam On

CWmike writes "Gregg Keizer reports that the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals, security researchers said today. As of late Tuesday, infected PCs were able to successfully reconnect with new command-and-control servers, which are now based in Estonia, said Fengmin Gong, chief security content officer at FireEye. The comeback confirms what researchers noted last week, that Srizbi had a fallback strategy. So, in the end, that strategy paid off for the criminals who control the botnet."

Further Proof

[MaxwellEdison]

Further proof that crime doesn't pay. Unless you have a reliable business plan, of course.

Re:Further Proof

[damn_registrars]

the alg it uses to get domain names

Why would botnet harvesting be done by domain name anyways? Wouldn't it be easier to collect systems by just running through accessible IP addresses?

And if the botnets are doing double duty by both propagating spam and attempting to hack into systems via ssh, I can tell you from my IP logs at home that most systems in the botnets aren't behind any particular domains.

On top of that, how many languages would you want to sell antivirus software in?

Re:Further Proof

[julian67]

Actually there isn't money to be made this way because all those unhappy customers demanding refunds will be expensive. The idea that you can clean an infected Windows PC by installing product A or B or C is mistaken. The whole idea that security is a boxed product or is available by clicking an .exe/.msi installer is bogus. Assuming that the malware on these infected computers is even known to the AV companies (and that's no longer a reasonable assumption in most cases) then the only way to actually remove it effectively is by running the AV tools from read only media, i.e. a live CD. Well designed malware will simply disallow the installation/use/updating of common AV software. The malware authors are streets ahead of the "security" vendors. The AV products installed on a clean machine can't even prevent many of these problems let alone cure them. Most Windows users would be better advised to save their pennies and re-install from original media, always be patched and up to date (applications as well as OS), run as unprivileged user with strong passwords on all accounts and browse only with Firefox + privoxy + noscript + adblock. That isn't perfect but it's zero financial cost and way more effective than anything Symantec, McAfee etc can offer. Unfortunately running Windows with an unprivileged account is as convenient as toothache.

They stopped them once.

[Finallyjoined!!!]

Now do it again. Rinse, repeat, until there's nowhere left for them to host the "command and control" servers.

The sooner the better. My good:spam ratio is almost 5:95 at the moment :-(

What intriques me...

[powerslave12r]

..most is how efficiently the bad guys always work. Its just astounding.

Re:What intriques me...

[Marc+Desrochers]

No red tape, no bureaucratic processes, no politics, no concern about being polite and correct about everything. Also, no customer support. It's a wonder what you can accomplish by not giving a shit who you inconvenience. Just get the job done well enough that it works.

We don't need no stinking backups...

[Anonymous+Monkey]

I have worked in more than a few offices that have no backup plans for when things go wrong; power outs, network outages, supply chain disruptions, and the like would stop work cold. I find it amusing that a band of criminals are running a more flexible and 'professional' operation than many ligament businesses.

Some Idiots

[Nom+du+Keyboard]

Is this because some idiot(s) let McColo get back online for a number of hours, or was that fallback already in place before the McColo initial shut down? These major ISP backbone providers reall need to be talking to each other when they blacklist a site so that one rogue provider doesn't undermine the good efforts of all the rest.

Re:Some Idiots

[damn_registrars]

Is this because some idiot(s) let McColo get back online for a number of hours, or was that fallback already in place before the McColo initial shut down?

I would be inclined to believe it to be more of the latter than the former. Why wouldn't the authors of the botnet software want to write something in to allow for the creation of a new botnet control system? These guys aren't idiots, as much as we might like to wish they were. They know that it takes time to amass a botnet, so I would expect they included some way to bring back the botnet, should they get caught somewhere.

need to be talking to each other when they blacklist a site

I might be missing something here, but I rather doubt that botnet control comes down to a specific site anywhere. Didn't they just say that the botnet is now controlled from a different country than before? I'm not sure that any amount of activities from major ISP's would be able to be both tolerable to users and capable of restricting the botnets.

OK now...

[damn_registrars]

Anyone who is surprised by this, raise your hand. If someone was able to write the requisite application to gather the botnet, one would expect the same programmer to have the foresight to write in a way to re-gather and restart the botnet at a later point in time.

They missed the chance

[confused+one]

While the command and control was down, they missed the chance to take out the bots too.