Spam Back on the Rise with Srizbi Resurrected

The New Acunetix V12 Engine


After McColo was partially disconnected from the Internet by it’s peers global spam dropped noticeably.

It seems however that the spam was emanating from a zombie network and the control servers were hosted by McColo, the creators of the botnet (Srizbi) were smart about it though and built a fail-safe system into the the malware.

It should be expected that spam will return to normal levels within a week or so.

On Nov. 11, the Internet servers used to control the Srizbi botnet were disconnected when a Web hosting firm identified by security experts as a major host of organizations engaged in spam activity was taken offline by its Internet providers.

Turns out, Srizbi’s authors had planned ahead for such a situation by building into each bot a fail-safe mechanism in case its master control servers were unavailable: A mathematical algorithm that generates a random but unique Web site domain name to check for new instructions and software updates.

With such a system in place, the malware authors can regain control over the bots merely by registering the Web site names that the infected machines are trying to visit and placing the instructions there.

It seems to be a pretty advanced piece of malware, it acts as a rootkit so it’s hard to remove, it’s has a Python mailing component which allows 3rd party access – this makes it very probably the botnet is ‘rented’ out to spam houses. It also pretty powerful on the network level as it can directly attach NDIS and TCP/IP drivers to its own process to hide network traffic it generates.

Some claim Srizbi is the largest botnet and is responsible for over half of the spam being produced globally, so this is a worrying turn of events.

According to FireEye, a security company in Milpitas, Calif., that has closely tracked the botnet’s actviity, a number of those rescue domains were registered Tuesday evening, apparenly directing at least 50,000 of the Srizbi-infected machines to receive new instructions and malicious software updates from servers in Estonia.

FireEye senior security researcher Alex Lanstein said he fully expects spam volumes to recover to their pre-Nov. 11 levels within a couple of days.

“Srizbi was the spam king,” Lanstein said. “And now it’s back.”

Seen as though the main activity is happening in Eastern Europe it seems unlikely anyone will be able to stop it and due to the very nature of botnets (completely distributed) IP blacklisting is futile as the mail could be coming from anywhere.

Anyhow it’ll be an interesting story to watch and I hope there are some new developments in taking these botnets out.

Source: Security Fix

Posted in: Malware, Spammers & Scammers

, , , , , , , , , ,


Latest Posts:


SCADA Hacking - Industrial Systems Woefully Insecure SCADA Hacking – Industrial Systems Woefully Insecure
airgeddon - Wireless Security Auditing Script airgeddon – Wireless Security Auditing Script
Airgeddon is a Bash powered multi-use Wireless Security Auditing Script for Linux systems with an extremely extensive feature list.
Acunetix v12 - Pause & Resume Acunetix v12 – More Comprehensive More Accurate & 2x Faster
Acunetix, the pioneer in automated web application security software, has announced the release of Acunetix v12 - more comprehensive, accurate & 2x faster.
CloudFrunt - Identify Misconfigured CloudFront Domains CloudFrunt – Identify Misconfigured CloudFront Domains
CloudFrunt is a Python-based tool for identifying misconfigured CloudFront domains, it uses DNS and looks for CNAMEs which may be allowed to be associated with CloudFront distributions.
Airbash - Fully Automated WPA PSK Handshake Capture Script Airbash – Fully Automated WPA PSK Handshake Capture Script
Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing, it is compatible with Bash and Android Shell.
XXEinjector - Automatic XXE Injection Tool For Exploitation XXEinjector – Automatic XXE Injection Tool For Exploitation
XXEinjector is an XXE Injection Tool that automates retrieving files using direct and out of band methods. Directory listing only works in Java applications.


One Response to Spam Back on the Rise with Srizbi Resurrected

  1. David December 11, 2008 at 3:24 pm #

    Eh, I still can’t belive how many tech savvy people I find that still continue to use IE and only IE.