Slashdot Mirror

← Back to Stories (view on slashdot.org)

Estonian ISP Shuts Srizbi Back Down, For Now

Posted by kdawson on from the informal-pressure dept.

wiedzmin writes "In response to the recent resurrection of the Srizbi botnet, an Estonian ISP has shut down the hosting company that was housing its new control servers. Starline Web Services, based in Estonia's capital Tallinn, had become the new home for the Srizbi botnet control center after the McColo hosting company (which was taken down earlier this month) has briefly come back to life last week, allowing the botnet to hand-off control to the Estonian network. After Estonia's biggest ISP Linxtelecom demanded that Starline Web Service be taken offline, the newly acquired Srizbi control servers went down with it. However, as the rootkit is armed with an algorithm that periodically generates new domain names where the malware then looks for new instructions, it is only a matter of time before a new set of control servers is created and used to manipulate one of the biggest spam botnets in the world."

6 of 237 comments (clear)

  1. Re:Who wants to bet... by bossanovalithium · · Score: 5, Interesting

    Ok, am I being thick here, but why can't some enterprising soul (or organisation), use the algorhythm to take control of the bots and then gets them to purge or go inactive?

  2. Algorithm by Schraegstrichpunkt · · Score: 5, Interesting

    However, as the rootkit is armed with an algorithm that periodically generates new domain names where the malware then looks for new instructions . . .

    Couldn't the registrars run that algorithm ahead of time and ban (or track down) new registrations for those domains?

    --
    http://outcampaign.org/
  3. Think by ledow · · Score: 5, Insightful

    To all the people who are saying "just take the botnet down with that control system", this isn't always possible.

    Think, for instance, of a virus that not only has this sort of "find my controller" system but that, when it finds instructions, checks an attached PGP public key to ensure their integrity and that they came from the original author. If this particular virus doesn't have it, the next breed will. That makes it completely immune to "false" updates, in the same way that Linux repositories and Windows Update are... unless you have the private key associated with that virus' creation, you can't issue an update that it will take notice off.

    You can't stop things like this by just intercepting the botnets... you can slow them, hinder them, give you time, but there are ways around everything. The way to stop it is to SHUT OFF USERS who have those botnets, who have allowed their computers to be compromised. Permanantly. Give them the incentive to actually keep their systems clean. They can move to another ISP etc. but the only way to stop them is to show them that leaving their PC open to infection is the problem here, along with an OS that allows that sort of compromise to be so easy, and not that some kid in Russia is somehow smarter or more resourceful than the entire world's IT experts.

    I don't know if this worm actually does have a signed update system, but it's a very easy thing to do, with tons of well-audited, open-source, freely available code to do it for you. I would be very surprised if some malware somewhere wasn't already doing it.

  4. Re:Who wants to bet... by v1 · · Score: 5, Interesting

    I'd love to see that too. Spoofing traffic on IRC is easy. But the problem is the commands must be signed using the bot herder's private key. It's apparently a very large key, (1024 BYTE iirc) and no one has managed to break it yet.

    I bet there are several groups working on them though. Problem is, each time the herder pushes an update, they could rekey it, placing everyone's break attempts back on square 1.

    My PERSONAL preference here is that the command sent should cause the participating computers to post a notice on the user's screen telling them they've been owned, that their computers have been being used to harm the public, and that they (the computers) have been rendered inactive and they'll have to take the computer into the shop for repair. (because no doubt they're infested with more than just this botnet) Some may say that's going too far, but imho, it's completely reasonable. They should share some of the responsibility for the actions of their computer after allowing it to be hijacked and being used to abuse ME. How about it just delete their NIC drivers and post the message?

    --
    I work for the Department of Redundancy Department.
  5. Re:Who wants to bet... by Fex303 · · Score: 5, Funny

    The Russian authorities have an attitude problem, and don't give a tinker's damn about the crime being committed from their soil, as long as it isn't Russian citizens being targeted. Which goes part-way to explain why cybercriminals NEVER target people in their own countries.

    You misspelled 'American' in your post. Twice.

  6. Re:Who wants to bet... by Anonymous Coward · · Score: 5, Insightful

    Stay the hell away from both my computer and my wallet.
     THIS, from a person whose computer is already hijacked and being used for illegal activities?

    Using evil methods to accomplish noble goals is still evil. Once you accept computer hijacking under some circumstances, how do you define the motives for which it's ok? Would it be ok to create or use a zombie net to process SETI or protein folding data? To scan for other zombies? How about DB indexing for your job?

    If you're going to try to claim the moral high ground, you need to stick to the high ground and not compromise your ethics for the sake of expediency.