Slashdot Mirror

← Back to Stories (view on slashdot.org)

Estonian ISP Shuts Srizbi Back Down, For Now

Posted by kdawson on from the informal-pressure dept.

wiedzmin writes "In response to the recent resurrection of the Srizbi botnet, an Estonian ISP has shut down the hosting company that was housing its new control servers. Starline Web Services, based in Estonia's capital Tallinn, had become the new home for the Srizbi botnet control center after the McColo hosting company (which was taken down earlier this month) has briefly come back to life last week, allowing the botnet to hand-off control to the Estonian network. After Estonia's biggest ISP Linxtelecom demanded that Starline Web Service be taken offline, the newly acquired Srizbi control servers went down with it. However, as the rootkit is armed with an algorithm that periodically generates new domain names where the malware then looks for new instructions, it is only a matter of time before a new set of control servers is created and used to manipulate one of the biggest spam botnets in the world."

6 of 237 comments (clear)

  1. Re:Who wants to bet... by bossanovalithium · · Score: 5, Interesting

    Ok, am I being thick here, but why can't some enterprising soul (or organisation), use the algorhythm to take control of the bots and then gets them to purge or go inactive?

  2. Algorithm by Schraegstrichpunkt · · Score: 5, Interesting

    However, as the rootkit is armed with an algorithm that periodically generates new domain names where the malware then looks for new instructions . . .

    Couldn't the registrars run that algorithm ahead of time and ban (or track down) new registrations for those domains?

    --
    http://outcampaign.org/
  3. Can't the botnet be taken away? by Anonymous Coward · · Score: 1, Interesting

    I'm wondering why someone can't intercept the attempt and take control of the botnet themselves and then shut the whole thing down permanently by disabling all the bots.

    I mean all you have to do is examine a machine in the botnet and you should be able to get any passwords/keys or whatever is used to access them. Obviously they have examined the command and control parts of it so I assume they know how that works too.

    Someone please take out this botnet for good. The reduction in spam is incredible.

    Another thing I was wondering... The machines in the botnet must have an open socket or something, would it be possible for a spam filtering system to check the machine sending mail to see if it's in this botnet? This botnet alone seems responsible for at least 95% of the spam I get.

  4. Re:Who wants to bet... by oliderid · · Score: 2, Interesting

    I guess the algorithm is linked in a way or another to a clock (time)...If they point to a atomic clock sync, isn't possible to spoof the IP (or change locally domain name config) and then to trace the next domain name?

  5. Re:Who wants to bet... by v1 · · Score: 5, Interesting

    I'd love to see that too. Spoofing traffic on IRC is easy. But the problem is the commands must be signed using the bot herder's private key. It's apparently a very large key, (1024 BYTE iirc) and no one has managed to break it yet.

    I bet there are several groups working on them though. Problem is, each time the herder pushes an update, they could rekey it, placing everyone's break attempts back on square 1.

    My PERSONAL preference here is that the command sent should cause the participating computers to post a notice on the user's screen telling them they've been owned, that their computers have been being used to harm the public, and that they (the computers) have been rendered inactive and they'll have to take the computer into the shop for repair. (because no doubt they're infested with more than just this botnet) Some may say that's going too far, but imho, it's completely reasonable. They should share some of the responsibility for the actions of their computer after allowing it to be hijacked and being used to abuse ME. How about it just delete their NIC drivers and post the message?

    --
    I work for the Department of Redundancy Department.
  6. Re:Who wants to bet... by Anonymous Coward · · Score: 1, Interesting

    The FireEye Malware Intelligence Lab agreed with you(as do I):

    if FireEye had so wished, we could have issued the "uninstall" command or updated the binary to render it useless. However, making unauthorized system changes on hundreds of thousands of systems is not something we're in the business of doing.
    In the coming days, many journalists and researchers will ask themselves: "How is it possible that the largest Botnet in the world was allowed to update itself, when a security firm had near complete control over it?". This is an interesting angle that we'll be exploring once all the technical facts are out on the table.