Slashdot Mirror

← Back to Stories (view on slashdot.org)

Estonian ISP Shuts Srizbi Back Down, For Now

Posted by kdawson on from the informal-pressure dept.

wiedzmin writes "In response to the recent resurrection of the Srizbi botnet, an Estonian ISP has shut down the hosting company that was housing its new control servers. Starline Web Services, based in Estonia's capital Tallinn, had become the new home for the Srizbi botnet control center after the McColo hosting company (which was taken down earlier this month) has briefly come back to life last week, allowing the botnet to hand-off control to the Estonian network. After Estonia's biggest ISP Linxtelecom demanded that Starline Web Service be taken offline, the newly acquired Srizbi control servers went down with it. However, as the rootkit is armed with an algorithm that periodically generates new domain names where the malware then looks for new instructions, it is only a matter of time before a new set of control servers is created and used to manipulate one of the biggest spam botnets in the world."

4 of 237 comments (clear)

  1. Re:Who wants to bet... by bossanovalithium · · Score: 5, Interesting

    Ok, am I being thick here, but why can't some enterprising soul (or organisation), use the algorhythm to take control of the bots and then gets them to purge or go inactive?

  2. Algorithm by Schraegstrichpunkt · · Score: 5, Interesting

    However, as the rootkit is armed with an algorithm that periodically generates new domain names where the malware then looks for new instructions . . .

    Couldn't the registrars run that algorithm ahead of time and ban (or track down) new registrations for those domains?

    --
    http://outcampaign.org/
  3. Re:Who wants to bet... by oliderid · · Score: 2, Interesting

    I guess the algorithm is linked in a way or another to a clock (time)...If they point to a atomic clock sync, isn't possible to spoof the IP (or change locally domain name config) and then to trace the next domain name?

  4. Re:Who wants to bet... by v1 · · Score: 5, Interesting

    I'd love to see that too. Spoofing traffic on IRC is easy. But the problem is the commands must be signed using the bot herder's private key. It's apparently a very large key, (1024 BYTE iirc) and no one has managed to break it yet.

    I bet there are several groups working on them though. Problem is, each time the herder pushes an update, they could rekey it, placing everyone's break attempts back on square 1.

    My PERSONAL preference here is that the command sent should cause the participating computers to post a notice on the user's screen telling them they've been owned, that their computers have been being used to harm the public, and that they (the computers) have been rendered inactive and they'll have to take the computer into the shop for repair. (because no doubt they're infested with more than just this botnet) Some may say that's going too far, but imho, it's completely reasonable. They should share some of the responsibility for the actions of their computer after allowing it to be hijacked and being used to abuse ME. How about it just delete their NIC drivers and post the message?

    --
    I work for the Department of Redundancy Department.