Slashdot Mirror

← Back to Stories (view on slashdot.org)

Estonian ISP Shuts Srizbi Back Down, For Now

Posted by kdawson on from the informal-pressure dept.

wiedzmin writes "In response to the recent resurrection of the Srizbi botnet, an Estonian ISP has shut down the hosting company that was housing its new control servers. Starline Web Services, based in Estonia's capital Tallinn, had become the new home for the Srizbi botnet control center after the McColo hosting company (which was taken down earlier this month) has briefly come back to life last week, allowing the botnet to hand-off control to the Estonian network. After Estonia's biggest ISP Linxtelecom demanded that Starline Web Service be taken offline, the newly acquired Srizbi control servers went down with it. However, as the rootkit is armed with an algorithm that periodically generates new domain names where the malware then looks for new instructions, it is only a matter of time before a new set of control servers is created and used to manipulate one of the biggest spam botnets in the world."

8 of 237 comments (clear)

  1. Re:Arrest them ... by dammy · · Score: 1, Informative

    There has to be financial links of payment for the colo/hosting service. Unless they are moving the C&C every month, the payment has to be steady enough to trace it. Governments need to set up honey pots ISP offers as a sting operation to make this a far different enviroment for the botnet folks to work in. Club Gitmo may be open for new guests real soon.

  2. Re:Algorithm by fedorfedor · · Score: 4, Informative
    According to a disassembly of the bot, there are more than a hundred domain names tried each day. (4 per bot variant, but at least 55 different seeds aka magic numbers.)

    Still, it might be worth registering all those domains until someone determines the private key, so a 'good guy' can give the bots a suicide pill.

    -David

  3. Re:Algorithm by m0i · · Score: 4, Informative

    Feasible, algo is described here:
    http://blog.fireeye.com/research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html

    --
    have you been defaced today?
  4. Re:Who wants to bet... by bepe86 · · Score: 2, Informative

    Why on earth do you think you would need an email account setup for your computer to spew spam? All that is needed, is that the computer is able to access tcp port 25 freely.

  5. Re:Who wants to bet... by Anonymous Coward · · Score: 2, Informative

    Wow, you think spammers rely on using your PC's email account? What do you think it is, an Outlook Express macro or something?

    Here's a clue for you, most modern bots use their own built-in SMTP server process, they don't need anything other than a live net connection on your PC.

  6. Re:Who wants to bet... by AmbushBug · · Score: 2, Informative

    This looks like a project that is trying to do what you are talking about:

    http://www.volatileminds.net/projects/clamav/

  7. Re:Biggest!? by shitzu · · Score: 2, Informative

    Just for reference: http://www.linxtelecom.ee/uudised.php?ID=140&lang=est lists the total revenue of 2007 as being approx. 6,5 million $ http://www.google.com/search?hl=en&safe=off&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=mo&q=68%2C5+million+eek+in+usd&btnG=Search

    As a comparison Estonia's actually biggest telecom Eesti Telekom's revenue was almost 10 times that: 510 million $ http://www.baltic.omxnordicexchange.com/market/?pg=details&instrument=EE3100007220&list=2&tab=news&news_id=222160

    http://www.google.com/search?q=6%2C2+billion+eek+in+usd&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

  8. Re:Who wants to bet... by hairyfeet · · Score: 2, Informative

    It really wouldn't have to do much if you think about it. Once rebooted you could have it begin scanning automatically and on detection of first virus have it ask "Do you wish to delete or quarantine this virus?" and it would have a button for each choice along with cancel and a small checkbox below that said "remember my answer and repeat on every virus" so they wouldn't have to keep hitting the button if they didn't want to. And if you wanted to get fancy you could have a box at the end display the number of viruses, followed by a dialog box that asked "Do you wish to have ClamWin Free Antivirus installed to reduce the risk of further infections?" followed by a simple "yes/no/cancel" box.

    But if it installed ClamWin it should have the scanning and updating set in Task Scheduler automatically, which one could probably do quite easily with a batch file. The key to it is to remember that we are talking about a tool that to be truly effective needs to be able to be used by the most clueless Windows user out there. Which is why in my first post I suggested incorporating one of the simple free burning engines into the file. That way after they downloaded the link they could simply double click the file and it would say "please insert blank CD to burn the virus removal tool" and would take the guesswork of how to burn a ISO file out of it. Then upon completion a simple msgbox could pop up saying "virus removal tool has been burned successfully. Please reboot to start the virus removal process"

    While not perfect, since it can't go in and reset the BIOS for those that don't have boot from CD set, this would be a very usable tool for a good 75-90% of the Windows users out there that are filling the pipes with spam and botnet traffic. And as I said in the first post it would also allow the FOSS advocates a chance to introduce those who may have never heard of FOSS by dropping a link on the desktop that says "Would you like more free software? Click here", which would then take them to a central Windows link page with brief descriptions, along with a couple of screenshots and links to download FF, OO.o, GNUCash, etc. The author of the interface could even include a link to his own project page along with a donation link to help pay for maintenance.

    IMHO this would be a win/win. It would allow us to cut down on the spam zombies while promoting FOSS and saving the cost of seeing someone like me for the Windows user. And we all benefit from having less zombies puking all over our bandwidth and inboxes. But the most important part, the part that must NEVER be forgotten, is that it must be designed for the clueless, non technical Windows user. Which means NO CLI, and KISS principles must be used at all times. Because the second they see a Bash prompt it is all over. It needs simple, easy to understand dialogs and even those need to be kept to a minimum to avoid confusion and frustration. Believe me, as someone who has spent nearly 15 years off and on working repair shops and fixing Windows boxes I know of which I speak. But IMHO this is a project that could truly help a lot of folks while cutting down on the flood of spam in our inboxes. We just need someone with the coding skills to take what is already there and make it Windows user friendly.

    --
    ACs don't waste your time replying, your posts are never seen by me.