Slashdot Mirror

← Back to Stories (view on slashdot.org)

Massive Botnet Returns From the Dead To Spam On

Posted by timothy on from the late-entry-for-hallowe'en dept.

CWmike writes "Gregg Keizer reports that the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals, security researchers said today. As of late Tuesday, infected PCs were able to successfully reconnect with new command-and-control servers, which are now based in Estonia, said Fengmin Gong, chief security content officer at FireEye. The comeback confirms what researchers noted last week, that Srizbi had a fallback strategy. So, in the end, that strategy paid off for the criminals who control the botnet."

38 of 205 comments (clear)

  1. Zombies!!!!! by syousef · · Score: 5, Funny

    Argh! Zombies!!!!! They're bound to be after brains! Well they'll find none here! Take that you evil zombies.

    --
    These posts express my own personal views, not those of my employer
  2. Further Proof by MaxwellEdison · · Score: 5, Insightful

    Further proof that crime doesn't pay. Unless you have a reliable business plan, of course.

    --
    -=Bang Bang=-
    1. Re:Further Proof by damn_registrars · · Score: 4, Insightful

      the alg it uses to get domain names

      Why would botnet harvesting be done by domain name anyways? Wouldn't it be easier to collect systems by just running through accessible IP addresses?

      And if the botnets are doing double duty by both propagating spam and attempting to hack into systems via ssh, I can tell you from my IP logs at home that most systems in the botnets aren't behind any particular domains.

      On top of that, how many languages would you want to sell antivirus software in?

      --
      Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    2. Re:Further Proof by Lobster+Quadrille · · Score: 5, Funny

      It's nice to see that somebody's IT department has the funding and expertise to implement a backup plan.

      It gives me hope.

      --
      "The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
    3. Re:Further Proof by julian67 · · Score: 5, Insightful

      Actually there isn't money to be made this way because all those unhappy customers demanding refunds will be expensive. The idea that you can clean an infected Windows PC by installing product A or B or C is mistaken. The whole idea that security is a boxed product or is available by clicking an .exe/.msi installer is bogus. Assuming that the malware on these infected computers is even known to the AV companies (and that's no longer a reasonable assumption in most cases) then the only way to actually remove it effectively is by running the AV tools from read only media, i.e. a live CD. Well designed malware will simply disallow the installation/use/updating of common AV software. The malware authors are streets ahead of the "security" vendors. The AV products installed on a clean machine can't even prevent many of these problems let alone cure them. Most Windows users would be better advised to save their pennies and re-install from original media, always be patched and up to date (applications as well as OS), run as unprivileged user with strong passwords on all accounts and browse only with Firefox + privoxy + noscript + adblock. That isn't perfect but it's zero financial cost and way more effective than anything Symantec, McAfee etc can offer. Unfortunately running Windows with an unprivileged account is as convenient as toothache.

    4. Re:Further Proof by jargon82 · · Score: 5, Informative

      I've been running my windows XP laptop as non-admin for over 2 years. It's not as bad as you say. Two things keep me going. Superior SU, found here: http://www.stefan-kuhr.de/supsu/main.php3 and make me admin, found here: http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx. Between the two, running non-admin is quite comfortable with a bit of practice.

    5. Re:Further Proof by blhack · · Score: 5, Informative

      A little windows trickery:

      Right click on internet explorer and click "Run As" run it as admin.
      type C:\ into the address bar. Navigate to whatever folder the programs you want to run are in and run them. Anything that spawns from here will be running as admin.

      --
      NewslilySocial News. No lolcats allowed.
    6. Re:Further Proof by julian67 · · Score: 3, Interesting

      There's a lot more to it than launching applications. Even then it's unsatisfactory in many ways. It's extremely inconvenient to have to run an application as admin and have all the output non-executable and non-writable for other users...one more crappy task to fix all the permissions after every run. Anyway there are many applications which simply don't work with run as. The previous poster who linked to Super SU was nearer the mark. Windows user model works fine for users with no local admin rights working under a domain controller, i.e. in the office with IT dept running everything. For home/individual users it really stinks. The existence of botnets of tens or hundreds of thousands of compromised Windows PCs should negate the need to even mention or discuss this but it seems that simple, sane authorisation models have been thoroughly subverted for so long that the absolute worst model is considered normal and acceptable. What's really incredible to me is that if you look at unix user/super user model or the Ubuntu/OS X style sudo model they are both easy and *convenient* for the end user as well as the administrator and have no real drawback; I can't quite work out why MS dedicated the last 10 years to screwing it up so badly. It is a horrible experience for their users to suffer unwanted malicious software on their systems and it could all have been easily avoided. It shouldn't be normal to run a system so badly configured and implemented that it requires 3rd party add ons simply to appear secure. It shouldn't be anything other than extraordinarily unusual to have one's personal and financial details exposed to criminals etc. Run as is not the answer because there are too many situations where it simply doesn't work or is so inconvenient that it becomes impractical. Personally speaking, Windows is only for games while everything else gets done on a sensible OS. Windows by default has no immunity and no powers of recovery. It has AIDS.

  3. Going back in time ... by Anonymous Coward · · Score: 5, Interesting

    "the big spam-spewing Srizbi botnet, shut down two weeks ago when McColo was shuttered, has been resurrected and is again under the control of criminals"

    I'd love to go back in the '50s, find one of those future drawing artists, show him that head news, and ask him to draw what he think that means in the year 2008.

    Hilarity ensue.

    1. Re:Going back in time ... by DahGhostfacedFiddlah · · Score: 5, Funny

      Never fails - I never have mod points when I see posts worthy of them.

      --
      Last post!
    2. Re:Going back in time ... by Reality+Master+101 · · Score: 5, Funny

      I don't know what he'd draw, but I know it'd be covered in chrome. :)

      --
      Sometimes it's best to just let stupid people be stupid.
    3. Re:Going back in time ... by denis-The-menace · · Score: 5, Funny

      I guess it would a giant, dilapidated 50's-style robot vomiting a stream of cans of spams to crowds of innocent people.

      --
      Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
  4. They stopped them once. by Finallyjoined!!! · · Score: 5, Insightful

    Now do it again. Rinse, repeat, until there's nowhere left for them to host the "command and control" servers.

    The sooner the better. My good:spam ratio is almost 5:95 at the moment :-(

    --
    If I had an Ass, I'd call it Fanny Bottom, then I could slap my Ass; Fanny Bottom, on the Arse.
    1. Re:They stopped them once. by snowraver1 · · Score: 5, Funny

      If by 5:95 you mean 1:19. Didn't your math teacher teach you to reduce your fractions/ratios?

      --
      Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
    2. Re:They stopped them once. by armanox · · Score: 3, Interesting

      Actually mine told me not to reduce, as it helps to see where they came from.

      --
      I'm starting to think GNU is the problem with "GNU/Linux" these days.
    3. Re:They stopped them once. by smittyoneeach · · Score: 3, Interesting

      Will switching to IPv6 make the bot nets more transparent to those trying to defend the intertubes?
      If that were true, then that might be a good argument to upgrade...

      --
      Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
  5. What intriques me... by powerslave12r · · Score: 5, Insightful

    ..most is how efficiently the bad guys always work. Its just astounding.

    --
    Real men read Slashdot articles at -1, bottom up.
    1. Re:What intriques me... by Yvan256 · · Score: 5, Funny

      Well of course. With no worker unions, government bureaucracy or international laws to get in the way, they have it easier than your average law-abiding citizens and companies.

    2. Re:What intriques me... by Marc+Desrochers · · Score: 5, Insightful

      No red tape, no bureaucratic processes, no politics, no concern about being polite and correct about everything. Also, no customer support. It's a wonder what you can accomplish by not giving a shit who you inconvenience. Just get the job done well enough that it works.

  6. Thats strange... by pillowcase1 · · Score: 5, Funny

    I know it's off topic, but my machine was running great for a couple weeks... now its all slow again.

  7. We don't need no stinking backups... by Anonymous+Monkey · · Score: 5, Insightful

    I have worked in more than a few offices that have no backup plans for when things go wrong; power outs, network outages, supply chain disruptions, and the like would stop work cold. I find it amusing that a band of criminals are running a more flexible and 'professional' operation than many ligament businesses.

    --
    We are the Borg...
    1. Re:We don't need no stinking backups... by Anonymous+Monkey · · Score: 3, Funny

      AAHHAAAHH!!! My ham string!!! Make the burning stop!!!

      --
      We are the Borg...
    2. Re:We don't need no stinking backups... by mikael_j · · Score: 3, Interesting

      Swedish TeliaSonera and it wasn't done directly, they purchased the link through a third party and made sure it was activated just as the weekend started (probably hoping that no one would shut it down before the weekend was over).

      /Mikael

      --
      Greylisting is to SMTP as NAT is to IPv4
  8. A McColo with Fries by INeededALogin · · Score: 5, Funny

    ... and a Coke

  9. Some Idiots by Nom+du+Keyboard · · Score: 4, Insightful

    Is this because some idiot(s) let McColo get back online for a number of hours, or was that fallback already in place before the McColo initial shut down? These major ISP backbone providers reall need to be talking to each other when they blacklist a site so that one rogue provider doesn't undermine the good efforts of all the rest.

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
    1. Re:Some Idiots by Detritus · · Score: 3, Informative

      This was because they good guys stopped registering the dynamically generated domain names used by the botnet, allowing the bad guys to register some domain names and regain control.

      --
      Mea navis aericumbens anguillis abundat
    2. Re:Some Idiots by damn_registrars · · Score: 3, Insightful

      Is this because some idiot(s) let McColo get back online for a number of hours, or was that fallback already in place before the McColo initial shut down?

      I would be inclined to believe it to be more of the latter than the former. Why wouldn't the authors of the botnet software want to write something in to allow for the creation of a new botnet control system? These guys aren't idiots, as much as we might like to wish they were. They know that it takes time to amass a botnet, so I would expect they included some way to bring back the botnet, should they get caught somewhere.

      need to be talking to each other when they blacklist a site

      I might be missing something here, but I rather doubt that botnet control comes down to a specific site anywhere. Didn't they just say that the botnet is now controlled from a different country than before? I'm not sure that any amount of activities from major ISP's would be able to be both tolerable to users and capable of restricting the botnets.

      --
      Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  10. OK now... by damn_registrars · · Score: 4, Insightful

    Anyone who is surprised by this, raise your hand. If someone was able to write the requisite application to gather the botnet, one would expect the same programmer to have the foresight to write in a way to re-gather and restart the botnet at a later point in time.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  11. They missed the chance by confused+one · · Score: 3, Insightful

    While the command and control was down, they missed the chance to take out the bots too.

    1. Re:They missed the chance by LackThereof · · Score: 4, Informative

      Srizbi will, in fact, accept an uninstall command from a bogus C&C server.

      Lots of stuff about Srizbi

      In the course of invesigating Srizbi, researchers had 250,000 bots under their control for a span of a few days. Sending the uninstall command was one of several ways they could have crippled this small portion of Srizbi. But honestly, no citizen has the legal authority to make changes to hundreds of thousands of other people's PCs. Maybe if some law enforcement agencies would get involved, that would be nice. Or at least give blanket immunity to researchers who would do so.

      --
      Legalize recreational marijuana. Seriously.
  12. Not really. by khasim · · Score: 4, Informative

    They also have to deal with various groups trying to stop them. As in TFA:

    "We have registered a couple hundred domains," Gong said, "but we made the decision that we cannot afford to spend so much money to keep registering so many [domain] names."

    So the spammers had to have thought about and planned for such a contingency.

    And still bring in enough money to pay for the connections they'll be using to control the zombies.

    The updated Srizbi includes hard-coded references to the Estonian command-and-control servers, but Gong was unaware of any current attempt to convince the firm now hosting those servers to yank them off the Web.

    So while attempting to register the domain names, work was going on to update the zombie software.

    The question now is how to get those hard-coded references to the various ISP's in the world so that they can block traffic to/from them and stop the zombies from updating again.

    Why isn't information such as that ever included in these articles?

  13. Re:Aim for the head ... by sexconker · · Score: 4, Funny

    You don't have much experience battling hydras, do you?

  14. Soft on terrorism by Animats · · Score: 4, Informative

    So where are the US antiterrorism people? This is an attack on US assets by foreign nationals. We have a whole Department of Homeland Security. They had a good computer security guy in charge of dealing with such attacks, Amit Yoran, and he quit in 2004, fed up because DHS didn't really want to deal with real problems. His replacement was a career lobbyist. Really. "He served as Director of 3Com Corporation's Government Relations Office in Washington, DC where he was responsible for all aspects of the company's strategic public policy formulation and advocacy." That's America's first line of defense against cyberterrorism.

    The FBI has an antiterrorism operation. What are they doing? What they say they're doing is working to "strengthen and support our top operational priorities: counterterrorism, counterintelligence, cyber, and major criminal programs." What they're actually doing is flying around the FBI director in the private jet purchased with antiterrorism funds.

    FBI testimony before Congress, 2001: "The FBI believes cyber-terrorism, the use of cyber-tools to shut down, degrade, or deny critical national infrastructures, such as energy, transportation, communications, or government services, for the purpose of coercing or intimidating a government or civilian population, is clearly an emerging threat for which its must develop prevention, deterrence, and response capabilities."

    FBI testimony before Congress, 2004: " In the event of a cyberterrorist attack, the FBI will conduct an intense post-incident investigation to determine the source including the motive and purpose of the attack."

    So where's the action?

    Heads need to roll at DHS and the FBI.

  15. (H|Cr)ack attack by Thaelon · · Score: 3, Interesting

    What I wonder is, why don't some of those white/grey/black hat hackers out there don't try to hijack the botnets, spammers, or the control servers of the spammers and shut that shit down. I'm sure it would be challenging and billions would approve.

    The way I see it, spam is a distributed problem that ignores virtually any boundary you can think of, so the solution must be equally pervasive and distributed. Such as an equally (dis)organized group of spammer-attackers. Sure some innocents will probably get nailed, but ain't war hell?

    --

    Question everything

  16. Re:Blue Frog? by u38cg · · Score: 3, Interesting
    The trouble was any kind of central point became a massive juicy target for them, and it would be just the same for an open source project. Bluefrog IIRC ended up just drowning in a tide of DDOSing. Kinda ironic, really :)

    As far as I can see the only real solution to spam is intelligent filtering, which Google leads the way on: it's got to the point where if a spam mail gets through, I open it it up and have a good look at it to see how the heck it got through.

    --
    [FUCK BETA]
  17. Re:Money was involved... by afidel · · Score: 4, Informative

    More like duped, they bought the backup link through a reseller a long time ago and never activated it till Sat 11/15.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  18. Update by LackThereof · · Score: 4, Informative

    The Estonia based Command and Control servers have been kicked offline.

    Only one server is still online, based in Frankfurt, Germany; name registered through the Cayman Islands.

    This is not the server that's hard-coded in to the new Srizbi patch, just one of the backup servers supplying it.

    source

    --
    Legalize recreational marijuana. Seriously.
  19. In related news ... by PPH · · Score: 4, Funny

    ...the one remaining 4800 baud link between Estonia and the rest of the world was taken down earlier today when IT technicians took control of the phone line to order a pizza.

    --
    Have gnu, will travel.