Slashdot Mirror
Estonian ISP Shuts Srizbi Back Down, For Now
wiedzmin writes "In response to the recent resurrection of the Srizbi botnet, an Estonian ISP has shut down the hosting company that was housing its new control servers. Starline Web Services, based in Estonia's capital Tallinn, had become the new home for the Srizbi botnet control center after the McColo hosting company (which was taken down earlier this month) has briefly come back to life last week, allowing the botnet to hand-off control to the Estonian network. After Estonia's biggest ISP Linxtelecom demanded that Starline Web Service be taken offline, the newly acquired Srizbi control servers went down with it. However, as the rootkit is armed with an algorithm that periodically generates new domain names where the malware then looks for new instructions, it is only a matter of time before a new set of control servers is created and used to manipulate one of the biggest spam botnets in the world."
...that in two weeks this is going to be back up somewhere else in the world? Heck, we could turn it into a game, guessing which country it is being run from next.
However, as the rootkit is armed with an algorithm that periodically generates new domain names where the malware then looks for new instructions . . .
Couldn't the registrars run that algorithm ahead of time and ban (or track down) new registrations for those domains?
http://outcampaign.org/
If someone publishes the list of all the domains that Srizbi will go to for instructions for the next few years, we can all buy one each and stop the spammers from ever regaining control.
Good, but I'd be happier if the people involved had been arrested. Surely there must be enough information out there to trace the controllers of this bot net by now.
Rich.
libguestfs - tools for accessing and modifying virtual machine disk images
However, as the rootkit is armed with an algorithm that periodically generates new domain names where the malware then looks for new instructions, it is only a matter of time before a new set of control servers is created and used to manipulate one of the biggest spam botnets in the world."
If so, perhaps we could try pre-registering the domains that will be used to control the bot-net, or seizing them if need be. Then perhaps we could tell the damn thing to shut itself down, or at least notify the owners of infection and then ignore instructions from any future botnet controllers...
I'm wondering why someone can't intercept the attempt and take control of the botnet themselves and then shut the whole thing down permanently by disabling all the bots.
I mean all you have to do is examine a machine in the botnet and you should be able to get any passwords/keys or whatever is used to access them. Obviously they have examined the command and control parts of it so I assume they know how that works too.
Someone please take out this botnet for good. The reduction in spam is incredible.
Another thing I was wondering... The machines in the botnet must have an open socket or something, would it be possible for a spam filtering system to check the machine sending mail to see if it's in this botnet? This botnet alone seems responsible for at least 95% of the spam I get.
Also, having every firewall subscribe to a central blacklist gives way to much control to a single entity.
Sure, you could argue the Internet's already controlled by a single entity, but that's already bad enough - giving over more control doesn't seem very wise to me.
Truth arises more readily from error than from confusion. -Francis Bacon
To all the people who are saying "just take the botnet down with that control system", this isn't always possible.
Think, for instance, of a virus that not only has this sort of "find my controller" system but that, when it finds instructions, checks an attached PGP public key to ensure their integrity and that they came from the original author. If this particular virus doesn't have it, the next breed will. That makes it completely immune to "false" updates, in the same way that Linux repositories and Windows Update are... unless you have the private key associated with that virus' creation, you can't issue an update that it will take notice off.
You can't stop things like this by just intercepting the botnets... you can slow them, hinder them, give you time, but there are ways around everything. The way to stop it is to SHUT OFF USERS who have those botnets, who have allowed their computers to be compromised. Permanantly. Give them the incentive to actually keep their systems clean. They can move to another ISP etc. but the only way to stop them is to show them that leaving their PC open to infection is the problem here, along with an OS that allows that sort of compromise to be so easy, and not that some kid in Russia is somehow smarter or more resourceful than the entire world's IT experts.
I don't know if this worm actually does have a signed update system, but it's a very easy thing to do, with tons of well-audited, open-source, freely available code to do it for you. I would be very surprised if some malware somewhere wasn't already doing it.
I remember recently that they accused Russians or Chinese or whatever for attacking their government sites and kind of they created some serious cyberforce after these attacks?
Kind of makes me wonder. How is this possible to have some serious cyberforce and not able to shut botnet which originates from your own country. Smelling bullshit somewhere.
- Arwen, I'm your father, Agent Smith.
- Well, you're just Smith, but my father is Aerosmith!
I dont know how much money these people are making but having to move locations every two weeks surely is n't free. Plus whilst you're moving and the bot net is down you're not generating money (from the spaming).
If this is the case then I would n't mind this going on for ever until they run out of money.
Speculating wildly here since I haven't read the code, but the herders probably use a technique similar to GeoHashing. GeoHashing uses the closing DOW average iirc, to generate coordinates somewhere in the world for that week. The point is you don't know where it's going to be in advance.
If the zombie can't connect to the C&C server, it looks up last night's DOW closing, generates the new domain name, and tries to connect there instead. It tries this for the last week's DOW averages, since DNS takes up to 3 days to propagate. That wouldn't even be necessary if the herder is always using the same registrar, because the zombies could just directly query a specific DNS server.
If the new C&C server isn't set up there yet, it just tries again tomorrow.
It would then become a race to see who could register the domain names the fastest each day/week, since you wouldn't know for sure what names to take until close that day. Due to the probably very odd and random nature of the domain names it would generate, (could be 32 digit hex numbers.com) it would probably be possible to get the cooperation of a registrar somewhere to dummy-register ALL the likely candidates 5 minutes before market close on each day, and leave them locked for a week. (finally a LEGITIMATE USE for domain tasting!) and that may actually immobilize the botnet.
I work for the Department of Redundancy Department.
Wouldn't it be possible to go after the individual bots? It can't be hard to figure out which IP's (machines) are used and then just contact the ISP that deliver network connection to them and tell them to deal with the situation.
Have them contact the subscriber and give them a some time to fix their computer, if they don't then cut them off.
The ISP that doesn't do this would get a warning and some time to deal with the situation, and after that the ones who deliver connectivity to them should cut them off.
All serious ISPs would conform if there was good incitament to do so. The others should get cut off.
You are not entitled to your opinion. You are entitled to your informed opinion. -- Harlan Ellison
In essence this is the largest game of Wack-A-Mole ever played.
I say don't drink and drive, you might spill your drink. Before you get behind the wheel just stop and think.
Though it will be a pain when my wife asks me what that message means, and can't I get it off the screen so she can finish the I.Q. test she's taking... this is important stuff she does, you know, so interruptions should be kept to a minimum...
Then I can teach her what she needs to know about Unbuntu. Should take about 15 minutes.
Shakespeare didn't know about the Internet, or he would have written 'first, we kill all the spammers'.
deleting the extra space after periods so i can stay relevant, yeah.
Assuming they're dot-coms being registered then can't ICANN simply not allow registration for domains fitting the algorithm except for to the director of a proven established and registered business (ie traceable and suable). If it really was a 32-digit hex then wouldn't they stand out like a sore thumb?
What they're more likely to go for is simply increasing the minimum charge for such domains to $1Million USD ... business as usual.
If the bots blindly accepted commands with authentication. But that would be really dumb.
Look dude, Christianity has got enough false accusations to deal with without utter fiction streaming out of the mind of people who clearly know nothing. Get a grip, get a life, learn some history.
"He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1
You're all going at it at the wrong way. Just Nullroute all POSSIBLE botnet server ips for the next few years at the major backbone isps. There problem solved!
Why not start a site that automatically checks and updates users computers against the botnet? Like a virus scanner.. I am sure that with most people are unaware that the computer they use daily is sending spam to thousands of people. And most people would click the free update to put a end once and for all to the spam in the world. Sites like youtube and google cnn bbc face book and myspace should make it manditory to pass a clean bill of health to visit the sites. Start making people log into the sites with a personal ISP address (one that has to have a registered global position of the persons home address or billing location). I believe that there are twice as many answers to the problems as their are problems. (the registered confirmed addressess, (kinda like the email confirmations) sounds like the best way to stop the stupid game).. And if the "botnet" is making someone so much money, wouldnt it make since to trace the money to its destionation to find the person or persons behind it?? I mean tell me if I am wrong here, but its the internet where just about anything is possible, Get with microsoft, linux, and the others, and make a manditory update to end the botnets once and for all, hell make the anonymousity of the web a thing of the past for all I care, I would like to see them catch the bastards who keep sending me 35 emails a day trying to sell me viagra, and watch them rot in jail, (the next top interactive webcam site, one where we can pay to throw things at or shoot with something like those hunting sites,, (not real bullets of course, we wouldnt want to ruin the fun for the next guy).. A electric bed, or potty, ZAP ZAP, to set a example for anyone who would want to follow in his foot steps. And for the last thing, if people would stop clicking on the SPAM the guy wouldnt make money on it and it would not be worth his time, (YES YOU STOP CLICKING THE FRIGGEN EMAILS NO YOUR NOT THE LUCKIEST GUY ON THE INTERNET AND GOING TO GET A LOT OF MONEY FROM SOME LOTTERY THAT YOU WON OR SOME DEAD GUY WITH THE SAME LAST NAME,,, ITS ALL A SCAM))))))
Is a command that even worked with the Borgs, a lot more advanced that that puny srizbi botnet.
A bit more in the real world, some years ago got so tired of getting notifications of the firewall of machines sharing their disks on internet that in a moment put in all those ones desktops a text explaining what they had wrong, and how to fix it. But was wrong, you don't fix harm doing even more harm. If their PCs are misbehaving in internet, is their ISP (or someone else they already know) responsability to warn/block/teach them.
Oooooooh, awesome idea. I'm sure some botnet is going to start using it. Seriously, no sarcasm, awesome idea.
Um, you mean, nullroute the entire Internet?
Start with Spamhaus' DROP-List...
cpghost at Cordula's Web.
OK, Russia is corrupt and doesn't care of botnets. But Estonia is the EU member. Instead of shutting down C&C servers, they should have obtained a court order to seize at least one of C&C servers and use it to retrieve the secret key used to sign commands. Then this key could be used to kill the whole botnet.
"Estonia's biggest ISP Linxtelecom" - where does this info come from!? Linxtelecom has about 1-2% of the market in Estonia (which has a population of roughly 1.3 million people).
I have the right to not have the net flucked up by idiots who think they can do what they want to the detriment of others, and also by idiots who don't know how to keep their machines free of this muck?
And where is this right defined? In which article of statute or law does it specify your 'right' to internet access at the fastest possible speed? Where does it state that your rights are more important than any other internet user?
The law in your country is probably not the same as the law in another. You cannot make assumptions about your international 'rights' based solely on what you think is good for you. If there is no-one in your country using spam, generating spam, buying things being advertised by spam or being part of this botnet then why don't you simply get your country to disconnect itself from the rest of the world. Hey, your spam problem will be fixed!
Have a look at soylentnews.org for a different view
"Botnets! Spammers Botnets! What kind of boxes are on botnets?
Compaq, HP, Dell & Sony, true! Gateway, Packard Bell, Maybe even Asus, too!
Are boxes, found on botnets. All running Windows, FOO!"
Guaranteed! This comment 100% Anthrax free!
That was done for a while but got too expensive. Which leads to the question - why can't the top level registrars simply generate all possible names and prevent any of them being registered? They're all garbage so nobody would want them for legitimate reasons anyway.
You don't need funds to register the domains. You simply lean on the domain registrar.
I'm a registrar. I have no problem whatsoever refusing to register domain names that match a certain algorithm, in fact I'm trying to find the algorithm to do just that.
*BUT* there are lots of registrars (I'm number 616, I think the counter is over the thousand-mark now). You'd need to lean on the registry, and maybe on ICANN. If you do I'm certain that a change to the algorithm will be pushed before you accomplish anything.
Since people know where the servers are, don't just cut off the packet stream, but go in there, launch real hardware-level forensics on the computers (RAM memory decay...) to get whatever private keys there are, sniff to see where the upstream commands are coming from, find out who PAID for the servers, whatever, go UP the food chain and imprison the real physical people who are doing this!