Slashdot Mirror
Massive Botnet Returns From the Dead To Spam On
CWmike writes "Gregg Keizer reports that the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals, security researchers said today. As of late Tuesday, infected PCs were able to successfully reconnect with new command-and-control servers, which are now based in Estonia, said Fengmin Gong, chief security content officer at FireEye. The comeback confirms what researchers noted last week, that Srizbi had a fallback strategy. So, in the end, that strategy paid off for the criminals who control the botnet."
Argh! Zombies!!!!! They're bound to be after brains! Well they'll find none here! Take that you evil zombies.
These posts express my own personal views, not those of my employer
Further proof that crime doesn't pay. Unless you have a reliable business plan, of course.
-=Bang Bang=-
"the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals"
I'd love to go back in the '50s, find one of those future drawing artists, show him that head news, and ask him to draw what he think that means in the year 2008.
Hilarity ensue.
Now do it again. Rinse, repeat, until there's nowhere left for them to host the "command and control" servers.
:-(
The sooner the better. My good:spam ratio is almost 5:95 at the moment
If I had an Ass, I'd call it Fanny Bottom, then I could slap my Ass; Fanny Bottom, on the Arse.
..most is how efficiently the bad guys always work. Its just astounding.
Real men read Slashdot articles at -1, bottom up.
I know it's off topic, but my machine was running great for a couple weeks... now its all slow again.
I have worked in more than a few offices that have no backup plans for when things go wrong; power outs, network outages, supply chain disruptions, and the like would stop work cold. I find it amusing that a band of criminals are running a more flexible and 'professional' operation than many ligament businesses.
We are the Borg...
...they had a BotNet-Buster-Buster (tm)(c)
There are more legitimate businesses than the ones selling snake oil to cure body aches, pains and ligament sprains. Why pick on them, poor sods.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
They're not random dammit! they always occur where the real part is a half, well the non-trivial crashes anyway.
IranAir Flight 655 never forget!
... and a Coke
Is this because some idiot(s) let McColo get back online for a number of hours, or was that fallback already in place before the McColo initial shut down? These major ISP backbone providers reall need to be talking to each other when they blacklist a site so that one rogue provider doesn't undermine the good efforts of all the rest.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Anyone who is surprised by this, raise your hand. If someone was able to write the requisite application to gather the botnet, one would expect the same programmer to have the foresight to write in a way to re-gather and restart the botnet at a later point in time.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
While the command and control was down, they missed the chance to take out the bots too.
This is organized crime after all.
They also have to deal with various groups trying to stop them. As in TFA:
So the spammers had to have thought about and planned for such a contingency.
And still bring in enough money to pay for the connections they'll be using to control the zombies.
So while attempting to register the domain names, work was going on to update the zombie software.
The question now is how to get those hard-coded references to the various ISP's in the world so that they can block traffic to/from them and stop the zombies from updating again.
Why isn't information such as that ever included in these articles?
seriously... :-(
"Not an actor, but he plays one on TV."
how efficiently the bad guys always work.
Not really - we only ever hear about the efficient ones here. Head on over to Fark (or even Youtube:) to get some examples of bad guys working....inefficiently.
Last post!
You don't have much experience battling hydras, do you?
Nice troll.
I think it might be more accurate to say if only they had a strategy.
Nerd rage is the funniest rage.
So where are the US antiterrorism people? This is an attack on US assets by foreign nationals. We have a whole Department of Homeland Security. They had a good computer security guy in charge of dealing with such attacks, Amit Yoran, and he quit in 2004, fed up because DHS didn't really want to deal with real problems. His replacement was a career lobbyist. Really. "He served as Director of 3Com Corporation's Government Relations Office in Washington, DC where he was responsible for all aspects of the company's strategic public policy formulation and advocacy." That's America's first line of defense against cyberterrorism.
The FBI has an antiterrorism operation. What are they doing? What they say they're doing is working to "strengthen and support our top operational priorities: counterterrorism, counterintelligence, cyber, and major criminal programs." What they're actually doing is flying around the FBI director in the private jet purchased with antiterrorism funds.
FBI testimony before Congress, 2001: "The FBI believes cyber-terrorism, the use of cyber-tools to shut down, degrade, or deny critical national infrastructures, such as energy, transportation, communications, or government services, for the purpose of coercing or intimidating a government or civilian population, is clearly an emerging threat for which its must develop prevention, deterrence, and response capabilities."
FBI testimony before Congress, 2004: " In the event of a cyberterrorist attack, the FBI will conduct an intense post-incident investigation to determine the source including the motive and purpose of the attack."
So where's the action?
Heads need to roll at DHS and the FBI.
I always had ~1200 mails in my gmail spam folder (ie: spam received in the last 30 days)
(until today, at least,) it has been shrinking in the last two weeks, and has (atm) 950 mail... I'll let the party begin again, and see if this number goes up again.
!sig
Once again we have proof of the value of a disaster recovery plan.
I would have thought a money mill like that would use an Active/Active failover rather than a cold standby site, but I suppose they have to consider risks versus costs like anybody.
XeoMage
The random crashes will occur until you install Linux. You see, Linux is the fix for the random crashing!
</tongue-in-cheek>
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
According to Gong, when Srizbi bots were unable to connect with the command-and-control servers hosted by McColo, they tried to connect with new servers via domains that were generated on the fly by an internal algorithm. FireEye reverse-engineered Srizbi, rooted out that algorithm and used it to predict, then preemptively register, several hundred of the possible routing domains.
"We have registered a couple hundred domains," Gong said, "but we made the decision that we cannot afford to spend so much money to keep registering so many [domain] names."
Once FireEye stopped preempting Srizbi's makers, the latter swooped in and registered the five domains in the next cycle.
I would have donated to this cause, as I imagine would have many others. It's a shame that we're finding out about it just now.
You could send an e-mail about command-and-control servers, to our Cyber Defence Center (Küberkaitse Keskus aka KKK) http://en.wikipedia.org/wiki/CCDCOE Estonia is not a big country at all so i think these new servers would be taken down pretty quickly.
I am sure de does, much like the criminals who control the botnet had a fallback strategy to help them, not the public.
Spelling and Grammar errors have been added to this post for your enjoyment
What I wonder is, why don't some of those white/grey/black hat hackers out there don't try to hijack the botnets, spammers, or the control servers of the spammers and shut that shit down. I'm sure it would be challenging and billions would approve.
The way I see it, spam is a distributed problem that ignores virtually any boundary you can think of, so the solution must be equally pervasive and distributed. Such as an equally (dis)organized group of spammer-attackers. Sure some innocents will probably get nailed, but ain't war hell?
Question everything
There is no possible way any ISP would reconnect someone like McColo out of ignorance: TeliaSonera was bribed.
Does anyone remember Blue Frog? That was actually [i]working[/i]. Nothing before or since has been anything but a mosquito bite to spammers.
There was an open source version, Okopipi, in the works for a very brief moment. I think the forum is probably full of weeds and spam now.
Web 2.0 == Giant Blogspam Circle Jerk
do zombies cause a panic in linux?
hehe
you mean 1:19
I detect a conspiracy here. I know you are really just typing 911 in reverse.
Reply to That ||
No, but I hear a wall of Fire can be helpful.
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
They should have used the domains to take over the botnet. If they know how it works, why not use the system to shut it down?!
Tens of millions of American computers are under the direct control of hostile foreign interests. At any moment, they can be ordered to do anything by those interests, including erasing files, sending financial information, or attacking infrastructure sites. That's a much bigger threat than some guys mouthing off in a bar in Miami about blowing up some building, which got the FBI's full attention.
"It took Linda('s e-mail box.) Then it came after (my e-mail box,) it got into my (windows box) and it (turned zombie,) so (we got McColo shutted down.) But that didn't stop it, it came back big time."
ELOI, ELOI, LAMA SABACHTHANI!?
Folks, I know this is flogging a dead horse, but let's see if this time the suggestion takes hold. How about this plan for dealing with spam spewing botnets:
1) If you're a Microsoft Power User (MPU) and you do the normal security precautions go ahead and use your Microsoft OS of choice -- you know *your* box isn't going to get infected because you're on top of the security issues.
2) If you're a MPU and you've got family or friends who are *NOT* MPUs and they ask you for advice why not make the "reasonable" suggestion:
a) Get a Mac OS X box if they're looking for a new computer and you want them to have a decent Desktop environment with decent default network security. This minimizes *your* sysadmin requirements and *increases* their odds of not becoming yet another Windows Spam Spewing bot (WSSB).
b) If they already have a Windows PC or have recently purchased a windows PC why not suggest that
i) for *non-networking* activities go ahead and use the Windows OS *if* that is what they are comfortable with, things like say spreadsheets, or word processing, Adobe Photoshop, etc.
ii) for *networking* activities like web browsing, checking e-mail, watching flash videos, irc, etc. go ahead and install say Ubuntu, or Open SuSe or whatever Linux flavor *you* are familiar with and teach them how to use it. That way you have reduced for *you* the sysadmins network security headaches.
Ideally, I would recommend to make the base OS a Linux distro, and run the Window OS in VMware or Xen virtual box. That way they don't have to reboot when switching between network based activities (Linux) and non-network based stuff (Windows).
Microsoft should be happy they still get a sale. You should be happy that your family and/or friends are still using Windows for most stuff. And the rest of us who don't use windows in any networking capacity can be happy that there is 1 (or more) fewer WSSB out there spamming us with stuff we don't care about.
Is that a reasonable nonflaming suggestion?
Mr. Natural as Fox Muldaur and Angelfood McSpade as Scully, and the Fabulous Furry Freak Brothers as the Lone Gunmen. Evil Spam Monster overlord, Mr. The Toad
That explains why I got higher spam in my inboxes over the last two days. Ugh! :(
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
It's pretty obvious to me that it's trivially simple to watch one of these bots cycle through its algorithm, then when it gets a working server site, you trace to that site and find who's running it and cut their balls off as well as their network access. Then watch it happen again, and so on.
That would be a lot smarter than paying tens of thousands of dollars for randomly-generated domain names.
Why are spam-fighters so intent on doing the dumb thing instead of the right thing?
Or simply killing all those whose machines are infected? And if you think that any of those is acceptable then you surely won't have any objection if/when other nations start behaving that way in your country, will you? I know where most of my spam originates.
I have no problem with the infected machines being killed off, regardless of where the attacker that killed the machine is located or who the attacker is. Just leave some indication of why the machine was killed so I can point to it when charging the customer for re-installing their OS and recovering whatever of their files that you are kind enough to leave for them. A nice little README.txt file explaining "Your machine was a spam spewing zombie in the <botnet name> botnet." will be sufficient.
Note - Liberal use of <sarcasm> tags may or may not need to be applied.
Which part of "random crashing" is alleviated by Linux? The "random" or the "crashing"?
In Soviet Washington the swamp drains you.
Because Srizbi has an algorithm that generates new pseudo-random domain names based on the current date. If the hard-coded C&C server ever goes down, the bot herder can calculate what domain names Srizbi will be looking to in the near future, and register them to reclaim the botnet (and push an update that changes the hard-coded server)
Technical Details of Srizbis domain generation algorithm
Legalize recreational marijuana. Seriously.
Really? I hadn't noticed any change since McColo was taken out: Since the moment McColo was taken out, spam received jumped over tenfold. It's been steady since.
me. --a by-product of public education
I'm a non-(computer) geek.
Can somebody explain to me how I can tell if my computer is infected by a bot?
Is there something that will tell me what's running in the background, so I can identify a bot spewing out spam from my system?
(Yes, I promise to learn linux.)
The Estonia based Command and Control servers have been kicked offline.
Only one server is still online, based in Frankfurt, Germany; name registered through the Cayman Islands.
This is not the server that's hard-coded in to the new Srizbi patch, just one of the backup servers supplying it.
source
Legalize recreational marijuana. Seriously.
...the one remaining 4800 baud link between Estonia and the rest of the world was taken down earlier today when IT technicians took control of the phone line to order a pizza.
Have gnu, will travel.
Well, Linux's advantage is:
We don't really want the spammers to use Linux on their master control servers, do we?
I'm sure the new free security software in Windows 7 will take care of it.
surely doing nothing is just like knowing a criminal has done a crime without reporting it, so you are deemed an aid to the crime if you let it happen.
Idiots.
Just do it under the table from a netcafe, and no one will complain, really, no one will, no body, bloody no one!!! Those guys have NO balls.
Liberty freedom are no1, not dicks in suits.
Doesn't really surprise me after that massive burst of traffic to russia.
Probably the botnet fleeing a sinking ship so to speak.
I'd like to wring the neck of whoever let mccolo bail.
Oh, we have a plan, too.
Who is General Failure and why is he reading my hard disk?