Slashdot Mirror
Estonian ISP Shuts Srizbi Back Down, For Now
wiedzmin writes "In response to the recent resurrection of the Srizbi botnet, an Estonian ISP has shut down the hosting company that was housing its new control servers. Starline Web Services, based in Estonia's capital Tallinn, had become the new home for the Srizbi botnet control center after the McColo hosting company (which was taken down earlier this month) has briefly come back to life last week, allowing the botnet to hand-off control to the Estonian network. After Estonia's biggest ISP Linxtelecom demanded that Starline Web Service be taken offline, the newly acquired Srizbi control servers went down with it. However, as the rootkit is armed with an algorithm that periodically generates new domain names where the malware then looks for new instructions, it is only a matter of time before a new set of control servers is created and used to manipulate one of the biggest spam botnets in the world."
...that in two weeks this is going to be back up somewhere else in the world? Heck, we could turn it into a game, guessing which country it is being run from next.
However, as the rootkit is armed with an algorithm that periodically generates new domain names where the malware then looks for new instructions . . .
Couldn't the registrars run that algorithm ahead of time and ban (or track down) new registrations for those domains?
http://outcampaign.org/
Break the algorithm and determine the next domain name and take the reins.
If that can't be done, but we can at least garner the domain names then it is simply a matter of registering them all for the next several years.
Though it really depends on the frequency of the control domain generation.
If someone publishes the list of all the domains that Srizbi will go to for instructions for the next few years, we can all buy one each and stop the spammers from ever regaining control.
Good, but I'd be happier if the people involved had been arrested. Surely there must be enough information out there to trace the controllers of this bot net by now.
Rich.
libguestfs - tools for accessing and modifying virtual machine disk images
However, as the rootkit is armed with an algorithm that periodically generates new domain names where the malware then looks for new instructions, it is only a matter of time before a new set of control servers is created and used to manipulate one of the biggest spam botnets in the world."
If so, perhaps we could try pre-registering the domains that will be used to control the bot-net, or seizing them if need be. Then perhaps we could tell the damn thing to shut itself down, or at least notify the owners of infection and then ignore instructions from any future botnet controllers...
I'm wondering why someone can't intercept the attempt and take control of the botnet themselves and then shut the whole thing down permanently by disabling all the bots.
I mean all you have to do is examine a machine in the botnet and you should be able to get any passwords/keys or whatever is used to access them. Obviously they have examined the command and control parts of it so I assume they know how that works too.
Someone please take out this botnet for good. The reduction in spam is incredible.
Another thing I was wondering... The machines in the botnet must have an open socket or something, would it be possible for a spam filtering system to check the machine sending mail to see if it's in this botnet? This botnet alone seems responsible for at least 95% of the spam I get.
"However, as the rootkit is armed with an algorithm that periodically generates new domain names"
So why not duplicate this algorithm in firewall software, with a value set to block. Especially in ISP firewalls and cable/dsl routers.
How about setting up a botnet blacklist that blacklists the control servers, that all firewalls subscribe to?
Of course at some point the botnet will gain a distributed cloud control mechanism, and so on and so forth ...
To all the people who are saying "just take the botnet down with that control system", this isn't always possible.
Think, for instance, of a virus that not only has this sort of "find my controller" system but that, when it finds instructions, checks an attached PGP public key to ensure their integrity and that they came from the original author. If this particular virus doesn't have it, the next breed will. That makes it completely immune to "false" updates, in the same way that Linux repositories and Windows Update are... unless you have the private key associated with that virus' creation, you can't issue an update that it will take notice off.
You can't stop things like this by just intercepting the botnets... you can slow them, hinder them, give you time, but there are ways around everything. The way to stop it is to SHUT OFF USERS who have those botnets, who have allowed their computers to be compromised. Permanantly. Give them the incentive to actually keep their systems clean. They can move to another ISP etc. but the only way to stop them is to show them that leaving their PC open to infection is the problem here, along with an OS that allows that sort of compromise to be so easy, and not that some kid in Russia is somehow smarter or more resourceful than the entire world's IT experts.
I don't know if this worm actually does have a signed update system, but it's a very easy thing to do, with tons of well-audited, open-source, freely available code to do it for you. I would be very surprised if some malware somewhere wasn't already doing it.
I remember recently that they accused Russians or Chinese or whatever for attacking their government sites and kind of they created some serious cyberforce after these attacks?
Kind of makes me wonder. How is this possible to have some serious cyberforce and not able to shut botnet which originates from your own country. Smelling bullshit somewhere.
- Arwen, I'm your father, Agent Smith.
- Well, you're just Smith, but my father is Aerosmith!
I dont know how much money these people are making but having to move locations every two weeks surely is n't free. Plus whilst you're moving and the bot net is down you're not generating money (from the spaming).
If this is the case then I would n't mind this going on for ever until they run out of money.
Wouldn't it be possible to grab one of these domain names, then tell the botnet to uninstall the rootkit or something?
While they're up and running, effectively you have locked all the herded bots down. Take over the control bots, and just do nothing with them. Change them so they don't accept any new instructions from their overlords.
Don't send the herded bots new instructions, nothing. You have effectively taken control away from the spammers/evil masterminds.
Wouldn't it be possible to go after the individual bots? It can't be hard to figure out which IP's (machines) are used and then just contact the ISP that deliver network connection to them and tell them to deal with the situation.
Have them contact the subscriber and give them a some time to fix their computer, if they don't then cut them off.
The ISP that doesn't do this would get a warning and some time to deal with the situation, and after that the ones who deliver connectivity to them should cut them off.
All serious ISPs would conform if there was good incitament to do so. The others should get cut off.
You are not entitled to your opinion. You are entitled to your informed opinion. -- Harlan Ellison
In essence this is the largest game of Wack-A-Mole ever played.
I say don't drink and drive, you might spill your drink. Before you get behind the wheel just stop and think.
Though it will be a pain when my wife asks me what that message means, and can't I get it off the screen so she can finish the I.Q. test she's taking... this is important stuff she does, you know, so interruptions should be kept to a minimum...
Then I can teach her what she needs to know about Unbuntu. Should take about 15 minutes.
Shakespeare didn't know about the Internet, or he would have written 'first, we kill all the spammers'.
deleting the extra space after periods so i can stay relevant, yeah.
Save your life story for your journal.
It is called "maintaining an attractive nuisance". Hard to have a botnet without the zombies. A simple warning would suffice, by the third warning it should be law enforcements role, perhaps relayed by the offender's ISP, something like that, with simple instructions to please format and reinstall, else bounced from the network. At login, they get the prompt and have to go fix it, by whatever means they want to use. If it is made just polite, informative and clear, there shouldn't be much of a problem then. Yes, it is a hassle but zombie networks are a tens of billions a year hassle and major annoyance to innocent people and companies who get harmed. It is more than reasonable to get the busted, leaking oil and shedding parts vehicle off the information highway until it is repaired and the owners take the time to do a little bit better maintenance.
With that said, if software that was sold or "licensed to use" had a minimum warranty where it had to be adequate for the task, treated like all other products in other words, then the onus would have been on Microsoft and some other highly profitable companies up to this point and a lot of this would have been sorted out years ago. "Suitable for purpose" is a normal warranty, and it needs to be applied to software. If it is unsuitable to use on an open network because of ease of compromise, then it shouldn't be used if you can't maintain at least a reasonable level of control over your own machine so that it does not harm other's machines or networks. Normal lemon laws should apply. ISPs should take the lead anyway and inform users if they are compromised. If there was a law that applied to all ISPs in this matter, then there wouldn't be any fear of customers "jumping ship", because they would just get the same warning no matter which ISP they went to then. Yes, you can't make perfect software, but some examples out there show you can make a lot better and more secure software right now, and computer design could be altered as well, there could easily be internet appliances that maintained a strict "read only" status for the operating system and use ID and other forms of security software to help mitigate this situation. If coyrse, it would mean a profound change in the internet and on websites, a lot of "web 2.0" type sites would need to be havily rewritten, as active scripting is a major source of compromises. Just keeping scripting turned off in browsers goes well over 90% of the way in eliminating threats. Bling or security, choose one, and if "attractive nuisance" laws applied, security would shift back to being job one, not job 5983 down the list at the big software houses.
Look dude, Christianity has got enough false accusations to deal with without utter fiction streaming out of the mind of people who clearly know nothing. Get a grip, get a life, learn some history.
"He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1
You're all going at it at the wrong way. Just Nullroute all POSSIBLE botnet server ips for the next few years at the major backbone isps. There problem solved!
Get the code, reverse engineer it - it's probably obfuscated. Hunt it down and disable the bots.
Why not start a site that automatically checks and updates users computers against the botnet? Like a virus scanner.. I am sure that with most people are unaware that the computer they use daily is sending spam to thousands of people. And most people would click the free update to put a end once and for all to the spam in the world. Sites like youtube and google cnn bbc face book and myspace should make it manditory to pass a clean bill of health to visit the sites. Start making people log into the sites with a personal ISP address (one that has to have a registered global position of the persons home address or billing location). I believe that there are twice as many answers to the problems as their are problems. (the registered confirmed addressess, (kinda like the email confirmations) sounds like the best way to stop the stupid game).. And if the "botnet" is making someone so much money, wouldnt it make since to trace the money to its destionation to find the person or persons behind it?? I mean tell me if I am wrong here, but its the internet where just about anything is possible, Get with microsoft, linux, and the others, and make a manditory update to end the botnets once and for all, hell make the anonymousity of the web a thing of the past for all I care, I would like to see them catch the bastards who keep sending me 35 emails a day trying to sell me viagra, and watch them rot in jail, (the next top interactive webcam site, one where we can pay to throw things at or shoot with something like those hunting sites,, (not real bullets of course, we wouldnt want to ruin the fun for the next guy).. A electric bed, or potty, ZAP ZAP, to set a example for anyone who would want to follow in his foot steps. And for the last thing, if people would stop clicking on the SPAM the guy wouldnt make money on it and it would not be worth his time, (YES YOU STOP CLICKING THE FRIGGEN EMAILS NO YOUR NOT THE LUCKIEST GUY ON THE INTERNET AND GOING TO GET A LOT OF MONEY FROM SOME LOTTERY THAT YOU WON OR SOME DEAD GUY WITH THE SAME LAST NAME,,, ITS ALL A SCAM))))))
Is a command that even worked with the Borgs, a lot more advanced that that puny srizbi botnet.
A bit more in the real world, some years ago got so tired of getting notifications of the firewall of machines sharing their disks on internet that in a moment put in all those ones desktops a text explaining what they had wrong, and how to fix it. But was wrong, you don't fix harm doing even more harm. If their PCs are misbehaving in internet, is their ISP (or someone else they already know) responsability to warn/block/teach them.
Um, you mean, nullroute the entire Internet?
Start with Spamhaus' DROP-List...
cpghost at Cordula's Web.
OK, Russia is corrupt and doesn't care of botnets. But Estonia is the EU member. Instead of shutting down C&C servers, they should have obtained a court order to seize at least one of C&C servers and use it to retrieve the secret key used to sign commands. Then this key could be used to kill the whole botnet.
"Estonia's biggest ISP Linxtelecom" - where does this info come from!? Linxtelecom has about 1-2% of the market in Estonia (which has a population of roughly 1.3 million people).
I have the right to not have the net flucked up by idiots who think they can do what they want to the detriment of others, and also by idiots who don't know how to keep their machines free of this muck?
And where is this right defined? In which article of statute or law does it specify your 'right' to internet access at the fastest possible speed? Where does it state that your rights are more important than any other internet user?
The law in your country is probably not the same as the law in another. You cannot make assumptions about your international 'rights' based solely on what you think is good for you. If there is no-one in your country using spam, generating spam, buying things being advertised by spam or being part of this botnet then why don't you simply get your country to disconnect itself from the rest of the world. Hey, your spam problem will be fixed!
Have a look at soylentnews.org for a different view
"Botnets! Spammers Botnets! What kind of boxes are on botnets?
Compaq, HP, Dell & Sony, true! Gateway, Packard Bell, Maybe even Asus, too!
Are boxes, found on botnets. All running Windows, FOO!"
Guaranteed! This comment 100% Anthrax free!
You don't need funds to register the domains. You simply lean on the domain registrar.
I'm a registrar. I have no problem whatsoever refusing to register domain names that match a certain algorithm, in fact I'm trying to find the algorithm to do just that.
*BUT* there are lots of registrars (I'm number 616, I think the counter is over the thousand-mark now). You'd need to lean on the registry, and maybe on ICANN. If you do I'm certain that a change to the algorithm will be pushed before you accomplish anything.
Since people know where the servers are, don't just cut off the packet stream, but go in there, launch real hardware-level forensics on the computers (RAM memory decay...) to get whatever private keys there are, sniff to see where the upstream commands are coming from, find out who PAID for the servers, whatever, go UP the food chain and imprison the real physical people who are doing this!
Am I the only one to observe that the whole problem starts with insecure systems?
All this chasing of coomand centres and networks is fighting symptoms, not causes. I want to know what system runs this code, and how it got there - research that and see what can be fixed.
This chasing and rubbish will never end as long as there are people accepting mediocre quality security from vendors that can't be bothered to fix their crap because some others provide the plasters over the cracks (anti virus). Anti virus software is not a cure, it papers over existing deficiencies and is basically after the event.
As long as the basics aren't fixed, those who cannot be bothered are basically wilfully supporting the long distance crime that spam, botnets and other criminal activities are. Yes, I said "wilful", and I said "supporting crime".
The vendors know bloody well how to do it better (and it's not like there is a shortage of talent around to draw from), but that's kept for the eternal "next version that will fix it all". Well, f*ck it, that lie has been played since Windows for Workgroups 3.11 and I'm astonished that, umm, what, 10 years or so later the golf club crowd still buys that BS.
Well, here is another line, but a bit more realistic: start adding license management and the total cost of anti virus protection (i.e.. licenses, bandwidth, downtime, and risk insurance for when a zero day makes it go t*tsup regardless) and THEN do your Total Cost of Ownership calculations.
It's about time people start to think for themselves. I'd place an MS sales rep somewhat below a consultant and a lawyer in reliability terms.
Just in case someone thinks I'm advocating anything but MS: you're right. Until THEY fix the basics they should not be entitled to your money. Why do you keep going back to the garage that never quite manages to fix your brakes? Puts a whole new spin on being a tree hugger..
What about the f-secure rescue cd? It's free and does everything stated.