15 January 2009 | 12,043 views

Next-Gen Botnets Taking The Place of Storm and Srizbi

Prevent Network Security Leaks with Acunetix

Back in November there was a considerable drop in Spam when Spam friendly ISP McColo was cut off from the Internet by it’s upstream peer.

Srizbi worm was pretty smart though and was picking up again by the end of November. Later in the year the botnets were somewhat neutralised leading to a huge drop in spam.

But now, they are back – re-engineered – and ready to spam without going down again.

The demise late last year of four of the world’s biggest spam botnets was good news for anyone with an email inbox, as spam levels were cut in half – almost overnight. But the vacuum has created opportunities for a new breed of bots, some of which could be much tougher to bring down, several security experts are warning.

New botnets with names like Waledac and Xarvester are filling the void left by the dismantling of Storm and the impairment of Bobax, Rustock, and Srizbi, these researchers say. The new breed of botnets – massive networks of infected Windows machines that spammers use to blast out billions of junk messages – sport some new designs that may make them more immune to current take-down tactics.

Waledac is a good example. It appears to be a complete revision of Storm, that includes the same state-of-the-art peer-to-peer technology and fast-flux hosting found in its predecessor, according to researcher Joe Stewart of Atlanta-based security provider SecureWorks. But it differs from Storm in one significant way: Weak encryption protocols, which proved to be an Achilles Heel that led to its downfall, have been completely revamped

That’s one problem with attacking these botnets and the malware behind them, the people doing it aren’t kids having fun. They are business syndicates making serious money, so whatever you do – they are going to learn from it and adapt their software and methods to circumnavigate it.

That’s what seems to be happening now with Waledac, a new re-engineered version of Storm with stronger encryption protocols. They learnt from their mistakes and released a new, updated and more powerful version.

What amazes me is that in the Xarvester malware, it actually makes use of the Windows crash reports – sending them to the developers to make the bot more stable!

“Several researchers are actively studying the communications, but I don’t know if and when it will be broken and hijackable,” said Jose Nazario, a security researcher at Arbor Networks. “The guys behind the botnet seems intent on staying up and so evading researchers seems like the most appropriate thing to do.”

Waledac has amassed some 10,000 zombie computers so far, a tiny fraction of the bigger botnets. But Stewart expects it to be a major player in the coming months. Meanwhile, a spam botnet called Xarvester is making similar inroads. It is the world’s third-biggest spammer, accounting for over 13 percent of the world’s spam, according to Marshall. What’s more, its uncanny resemblance to Srizbi has sparked suspicions it is a reincarnation of that notorious botnet. Similarities include an HTTP-based command and control center that uses non-standard ports, encrypted template files used to send spam and configuration files with the common formats and data.

It also has a sophisticated feedback system that helps bot developers squash bugs so the software is harder to detect on a victim’s machine.

“Just like Srizbi, Xarvester has the ability to upload the Windows minidump crash dump file to a control server in the event that the bot crashes a system,” according to this analysis from Marshall. “This is presumably to help the botnet controllers debug their bot software.”

It seems like Xarvester has some uncanny resembelances to Srizbi too, so maybe it’s a new updated release from the same group which fixes the flaws that made Srizbi fail in the long term.

The infection rates for these bots are quite low currently, but due to the new measures the developers have taken they are likely to gain many more infections and be much harder to remove/detect and stop.

Source: The Register



Recent in Malware:
- ParanoiDF – PDF Analysis & Password Cracking Tool
- Windows Registry Infecting Malware Has NO Files
- FakeNet – Windows Network Simulation Tool For Malware Analysis

Related Posts:
- Spam Back on the Rise with Srizbi Resurrected
- The World’s Biggest Botnets – Peer to Peer
- New Malware Variants More Malicious Than ILOVEYOU Bug

Most Read in Malware:
- Nasty Trojan Zeus Evades Antivirus Software - 77,296 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,445 views
- US considers banning DRM rootkits – Sony BMG - 44,926 views

Low-cost VPS Hosting

6 Responses to “Next-Gen Botnets Taking The Place of Storm and Srizbi”

  1. eM3rC 16 January 2009 at 3:06 am Permalink

    God it’s amazing to see how much botnets have evolved.

    I wonder what the different AV companies have in store to counter these additions to the botnets.

  2. Extremesecurity 16 January 2009 at 11:59 am Permalink

    Well, I think we are going to a totally new game level. So folks, review your current defenses and try to conduct some malwares prevention and containment exercises.

  3. goodpeople 19 January 2009 at 9:31 am Permalink

    oh dear.. how sad.. never mind

    one other chapter in the never ending story.

    Keep you scanners/firewalls/malware detection tools etc. up to date. One up for the mouse in this eternal cat & mouse thing. The cat will catch up eventually.

  4. Bogwitch 19 January 2009 at 8:04 pm Permalink

    The cat will catch this mouse eventually, but mice breed faster than cats and there’s a lot of them already…

  5. d347hm4n 19 January 2009 at 10:10 pm Permalink

    Well said Bogwitch ^^

  6. monk3ybidzness 13 March 2009 at 6:32 am Permalink

    Varieties of Spam vary by region and include Spam Classic, Spam Hot & Spicy, Spam Less Sodium, Spam Lite, Spam Oven Roasted Turkey, Hickory Smoked, and Spam Spread.

    Have a great day!