SANS NewsBites Vol. 10 Num. 94 (fwd)
Tue, 2 Dec 2008
--Srizbi Bots Seek Alternate Command-and-Control Servers (November 26 & 27, 2008)
The Srizbi botnet, which was disabled by the shutdown of web hosting company McColo several weeks ago, appeared to be back online early last week. Srizbi includes an algorithm that attempts to establish new domain names that the malware could contact for instructions should the initial connection be severed. The botnet suffered another setback when the Estonian Internet service provider (ISP) that had hosted its command and control servers for a short period of time also cut off service to those servers. Srizbi is estimated to comprise more than 450,000 PCs, and it is believed that half of all spam generated worldwide comes through the Srizbi botnet. The reason Srizbi was kept at bay for several weeks was that researchers reverse engineered the Srizbi code and figured out what domains the bots would be searching for, then created and seized them so the bot masters could not regain control of the army of infected machines.
http://www.theregister.co.uk/2008/11/26/srizbi_returns_from_dead/
[Editor's Note (Pesactore): The bot client strategies for finding command and control centers has gotten increasingly devious. New techniques used mechanisms that are very similar to old style spycraft, the cyber equivalent of spy numbers stations and chalk Xs on mailboxes.
The needed security breakthrough here is being able to tell automated actions from user-driven actions from the network, rather than relying on blocking communications to command and control centers. ]
No comments:
Post a Comment