Botnet rises again
Srizbi, one of the largest known botnets, appears to be regaining strength, despite its bots having lost contact with the control server around two weeks ago, following the closure of US hosting company McColo. Following the loss of their main artery of communication, the bots have switched to a kind of emergency communication and are, according to security services provider FireEye, contacting domains the names of which are calculated using a specific algorithm.
By knowing the algorithm, the 'bot herders' can register the domains in advance and install a control server at the relevant addresses. The bots calculate a new 'emergency domain' every 72 hours. FireEye claims to have decrypted the algorithm and for a while was registering the domains itself in order to prevent the criminals from having access to the domains.
Due to the number of domains generated, however, this venture was so expensive – costing around $4,000 per week – that they were forced to desist. The domains were then once more registered by the bot herders.
FireEye says that it was in a position to be able to command the bots to delete themselves from infected systems. Due to concerns that this could damage PCs, however, they refrained from doing so. It is estimated that 40 per cent of global spam originates from the Srizbi botnet. Around half a million PCs are infected with one of fifty variants of the Srizbi bot. After a short-term reduction, spam levels have now returned to normal.
- Srizbi Botnet Re-Emerges Despite Security Firm's Efforts, report by Brain Krebs/Washington Post