Slashdot Mirror

← Back to Stories (view on slashdot.org)

Estonian ISP Shuts Srizbi Back Down, For Now

Posted by kdawson on from the informal-pressure dept.

wiedzmin writes "In response to the recent resurrection of the Srizbi botnet, an Estonian ISP has shut down the hosting company that was housing its new control servers. Starline Web Services, based in Estonia's capital Tallinn, had become the new home for the Srizbi botnet control center after the McColo hosting company (which was taken down earlier this month) has briefly come back to life last week, allowing the botnet to hand-off control to the Estonian network. After Estonia's biggest ISP Linxtelecom demanded that Starline Web Service be taken offline, the newly acquired Srizbi control servers went down with it. However, as the rootkit is armed with an algorithm that periodically generates new domain names where the malware then looks for new instructions, it is only a matter of time before a new set of control servers is created and used to manipulate one of the biggest spam botnets in the world."

2 of 237 comments (clear)

  1. Re:Algorithm by fedorfedor · · Score: 4, Informative
    According to a disassembly of the bot, there are more than a hundred domain names tried each day. (4 per bot variant, but at least 55 different seeds aka magic numbers.)

    Still, it might be worth registering all those domains until someone determines the private key, so a 'good guy' can give the bots a suicide pill.

    -David

  2. Re:Algorithm by m0i · · Score: 4, Informative

    Feasible, algo is described here:
    http://blog.fireeye.com/research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html

    --
    have you been defaced today?