November 26, 2008

Spammers regaining control over massive botnet

Zombie computers are coming back to life

By Jeremy Kirk, IDG News Service

---

Computers that are part of the Srizbi botnet - which by some estimates sent nearly half of the world's spam - are being reactivated, according to researchers from FireEye .

"Srizbi has returned from the dead and has begun updating all its bots with a fresh, new binary," according to a blog post on Tuesday by Atif Mushtaq and Alex Lanstein of FireEye. "The worldwide update began just a few hours ago."

Srizbi's computers were controlled by spammers via the rogue ISP (Internet Service Provider) McColo, based in San Jose, California.

When McColo was shut down, those computers tried to call back and get new instructions to send spam. But the botnet operators created a way to get those machines back if they were stranded.

FireEye researchers essentially did an autopsy on Srizbi's code. They found that the hackers put in an algorithm that dynamically generates a domain name from which a compromised computer could fetch new instructions.

The hackers could then register that domain name and put instructions there to tell the compromised PC to go to a different command-and-control server -- not McColo's -- for new instructions.

FireEye figured out how the algorithm worked, and company registered the gibberish domain names, such as "auaopagr.com," that the algorithm generated. When those machines reported for duty, there were no instructions. But FireEye could not keep pre-empting the spammers by buying indefinite numbers of domain names.

The compromised computers are now connecting to domain names registered by the spammers and getting updated code, including templates for new spam campaigns. The new command-and-control servers are in Estonia and the domain names are being bought from a registrar in Russia, FireEye said.

Srizbi at one time amounted to more than 450,000 PCs, and it remains to be seen how many of those machines have updated code. But three other botnets that were controlled via McColo -- Rustock, Cutwail and Asprox -- all appear to also be coming back online.

Dmitry Samosseiko of computer security vendor Sophos wrote on Wednesday that spam levels suddenly surged earlier this week, due in part to the resurgence of the Rustock botnet.

McColo's connectivity was briefly restored by mistake by TeliaSonora, and the precious few hours online allowed spammers to tell computers infected with Rustock where to go for new instructions.

Antispam vendor MessagLabs, which was recently acquired by Symantec, hasn't noted a rise in spam associated with Srizbi, said Paul Wood, senior analyst based in their U.K. offices.

Wood said MessageLabs analyzes spam that ends up in the inboxes of its 8 million users and it may be that Srizbi is either not up to speed yet or changed how it targets people.

Newsletters

Sign up to our Weekly Round-Up for the past week’s not-to-be-missed news analysis and insight delivered straight to your inbox.