Botnet Rises from the Ashes

By Greg McNevin

December 1, 2008: Just two-weeks after being taking down by security firms, the Srizbi botnet is back with a vengeance after backup servers went online in Estonia.

The network of more than 100,000 spam-spewing PCs was busted up recently when control servers were identified and disconnected, resulting in a precipitous drop in spam levels around the world.

It was a short lived victory, however, as the cyber criminals had a sophisticated fallback strategy in place. When infected PCs lost connection with the central server, they would then start contacting new domains automatically generated by an algorithm to try and find a new route back to the host server.

Security researchers at FireEye Inc. managed to reverse engineer the tactic, registering hundreds of domains to keep control of the botnet out of the hands of spammers. However, due to the expense of the exercise the company was not able to keep this tactic up for long.

“We have registered a couple hundred domains," said Fengmin Gong, chief security content officer at FireEye. “But we made the decision that we cannot afford to spend so much money to keep registering so many.”

As a result, as soon as the company yielded its efforts the spammers registered the next series of domains and promptly took back control of the botnet, updated the malware software on the swarm of PCs and went back to business as usual spamming inboxes.

If security firms can figure out an effective and legal way of warning the owners of the 100,000 or so infected machines there is now a window of opportunity to do so. Likewise, as the company hosting the new central server has been identified it may also be possible to once again knock the offending ISP offline, although efforts to do so have so far been unsuccessful.

Comment on this story