Spam Back on the Rise with Srizbi Resurrected


After McColo was partially disconnected from the Internet by it’s peers global spam dropped noticeably.

It seems however that the spam was emanating from a zombie network and the control servers were hosted by McColo, the creators of the botnet (Srizbi) were smart about it though and built a fail-safe system into the the malware.

It should be expected that spam will return to normal levels within a week or so.

On Nov. 11, the Internet servers used to control the Srizbi botnet were disconnected when a Web hosting firm identified by security experts as a major host of organizations engaged in spam activity was taken offline by its Internet providers.

Turns out, Srizbi’s authors had planned ahead for such a situation by building into each bot a fail-safe mechanism in case its master control servers were unavailable: A mathematical algorithm that generates a random but unique Web site domain name to check for new instructions and software updates.

With such a system in place, the malware authors can regain control over the bots merely by registering the Web site names that the infected machines are trying to visit and placing the instructions there.

It seems to be a pretty advanced piece of malware, it acts as a rootkit so it’s hard to remove, it’s has a Python mailing component which allows 3rd party access – this makes it very probably the botnet is ‘rented’ out to spam houses. It also pretty powerful on the network level as it can directly attach NDIS and TCP/IP drivers to its own process to hide network traffic it generates.

Some claim Srizbi is the largest botnet and is responsible for over half of the spam being produced globally, so this is a worrying turn of events.

According to FireEye, a security company in Milpitas, Calif., that has closely tracked the botnet’s actviity, a number of those rescue domains were registered Tuesday evening, apparenly directing at least 50,000 of the Srizbi-infected machines to receive new instructions and malicious software updates from servers in Estonia.

FireEye senior security researcher Alex Lanstein said he fully expects spam volumes to recover to their pre-Nov. 11 levels within a couple of days.

“Srizbi was the spam king,” Lanstein said. “And now it’s back.”

Seen as though the main activity is happening in Eastern Europe it seems unlikely anyone will be able to stop it and due to the very nature of botnets (completely distributed) IP blacklisting is futile as the mail could be coming from anywhere.

Anyhow it’ll be an interesting story to watch and I hope there are some new developments in taking these botnets out.

Source: Security Fix

Posted in: Malware, Spammers & Scammers

, , , , , , , , , ,


Latest Posts:


dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).
WiFi-Dumper - Dump WiFi Profiles and Cleartext Passwords WiFi-Dumper – Dump WiFi Profiles and Cleartext Passwords
WiFi-Dumper is an open-source Python-based tool to dump WiFi profiles and cleartext passwords of the connected access points on a Windows machine.
truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.


One Response to Spam Back on the Rise with Srizbi Resurrected

  1. David December 11, 2008 at 3:24 pm #

    Eh, I still can’t belive how many tech savvy people I find that still continue to use IE and only IE.