...from: http://computerworld.com/action/article.do?command=viewArticleBasic&arti...
Spam levels climb as criminals replace crippled botnets Four weeks after McColo takedown, spam back to 63% of earlier volume By Gregg Keizer
December 9, 2008 (Computerworld) Four weeks after spam levels plummeted when a rogue hosting company was yanked off the Internet, junk mail volumes are again up, a researcher said today.
According to IronPort Systems Inc., spam volumes have partially recovered since the Nov. 11 takedown of McColo Corp., the California hosting firm that was pulled off the Web by its upstream service providers after security researchers presented them with overwhelming evidence that it was harboring a wide range of criminal activity. Among McColo's clients: cybercriminal groups that ran some of the biggest spam-spewing and malware-spreading botnets in the world.
Yesterday, approximately 94.6 billion spam messages were sent worldwide, said IronPort, which estimated today's volume at 96.8 billion. Those numbers were 62% and 63%, respectively, of the 153 billion spam messages sent four weeks ago, the dayMcColo went offline.
Immediately after the takedown, spam levels dropped to 64.1 billion, just 42% of the pre-McColo volume.
Spam's resurgence comes courtesy of several botnets -- some well- known, some not -- that were largely unaffected by McColo's disappearance, said Joe Stewart, director of malware research atSecureWorks Inc.
First of all, reports that the "Srizbi" and "Rustock" botnets have beenresurrected are "mostly untrue," said Joe Stewart. "These botnets are not monolithic, especially Srizbi, which is in the hands of a lot of people. Each has a couple of variants [of the bot Trojan], and maybe a few thousand bots. Some have regained control of their botnets, some have not."
In fact, Srizbi and Rustock -- which were the world's largest and third-largest botnets, respectively, before Nov. 11 -- have effectively faded into the background. "It's looking like these botnet spam providers have had their customers jump ship," said Stewart.
Other botnets have stepped up to take their place.
"Mega-D has come back to its original strength," Stewart said, referring to another botnet that had been controlled by McColo-hosted servers. "Cutwail is running strong, and so is Kraken. Botnets that weren't badly affected [by McColo going offline] seem to have picked up customers."
Other researchers have recently reported Mega-D's restoration. London- based Marshal8e6, for example, said yesterday that Mega-D's controllers have set up new command servers, re-established links with their compromised PCs and have resumed spamming.
The criminals who ran Srizbi and Rustock have had far less success, said SecureWorks' Stewart. "Everyone fully expected Srizbi to come back," he noted, although that's not happened. Srizbi's controllers were stymied for a while by FireEye Inc., which for a time was registering the domain names the bots would use to reconnect with new command servers. FireEye, however, was unable to finance the tactic indefinitely, and stopped.
"We're seeing Srizbi bots that are asking for [routing] domain names that aren't registered to anyone," said Stewart. He was unable to explain why the hackers had walked away from their botnets, but speculated that it was a business decision.
"The longer they left it, the more the botnet diminished," he said, noting that botnets continually lose machines as PCs are cleaned of the malware or taken out of service and replaced by new systems. "They have to make a decision, is it worth it to regain control or just build a new botnet?"
In the meantime, once-smaller players have grown in size as spammers turned to new providers. "Xarvester is one that has seemed to pick up a lot of traffic," said Stewart. "It's somewhere between Mega-D and Cutwail in size, so it's moved into the top three with at least 130,000 bots."
Xarvester and another botnet, which Stewart has dubbed "Gahg," are spamming some of the same types of messages that once came from bots controlled by Srizbi's and Rustock's herders, he added.
"There aren't any new botnets, not so far," Stewart continued. But he warned that the criminals responsible for Srizbi and Rustock could very well be working on new malware and spreading it on vulnerable PCs. "That could be one reason why they haven't restored the [downed] bots, they could be in development right now."
= - = - = - =
...from:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&...
Massive botnet returns from the dead, starts spamming Criminals regain control after security firm stops preemptively registering routing domains By Gregg Keizer
November 26, 2008 (Computerworld) A big spam-spewing botnet shut down two weeks ago has been resurrected, security researchers said today, and is again under the control of criminals.
The "Srizbi" botnet returned from the dead late Tuesday, said Fengmin Gong, chief security content officer at FireEye Inc., when the infected PCs were able to successfully reconnect with new command-and- control servers, which are now based in Estonia.
Srizbi was knocked out more than two weeks ago when McColo Corp., a hosting company that had been accused of harboring a wide range of criminal activities, was yanked off the Internet by its upstream service providers. With McColo down, PCs infected with Srizbi and other bot Trojan horses were unable to communicate with their command servers, which had been hosted by McColo. As a result, spam levelsdropped precipitously.
But as other researchers noted last week, Srizbi had a fallback strategy. In the end, that strategy paid off for the criminals who control the botnet.
According to Gong, when Srizbi bots were unable to connect with the command-and-control servers hosted by McColo, they tried to connect with new servers via domains that were generated on the fly by an internal algorithm. FireEye reverse-engineered Srizbi, rooted out that algorithm and used it to predict, then preemptively register, several hundred of the possible routing domains.
The domain names, said Gong, were generated on a three-day cycle, and for a while, FireEye was able to keep up -- and effectively block Srizbi's handlers from regaining control.
"We have registered a couple hundred domains," Gong said, "but we made the decision that we cannot afford to spend so much money to keep registering so many [domain] names."
Once FireEye stopped preempting Srizbi's makers, the latter swooped in and registered the five domains in the next cycle. Those domains, in turn, pointed Srizbi bots to the new command-and-control servers, which then immediately updated the infected machines to a new version of the malware.
"Once each bot was updated, the next command was to send spam," said Gong, who noted that the first campaign used a template targeting Russian speakers.
The updated Srizbi includes hard-coded references to the Estonian command-and-control servers, but Gong was unaware of any current attempt to convince the firm now hosting those servers to yank them off the Web.
In the meantime, FireEye is working with several other companies -- including VeriSign Inc., Microsoft Corp. and Network Solutions Inc., a domain registrar -- on ways to reach the more than 100,000 users whose PCs FireEye has identified as infected with Srizbi.
Discussions about how to best handle any future McColo-Srizbi situation are also ongoing, Gong said. "We're trying to find a solution, and talking about ideas of how they can help fund efforts for some period of time to [preemptively] register domains," he said.
"Right now, though, we have this window of opportunity to help clean all those [100,000] machines," Gong said. "Registering those domains was just a way to buy us time. We have to reach those machines to clean them up."
Although some message security companies said yesterday that spam volumes had climbed back from post-McColo troughs, Gong was hesitant to finger Srizbi's return as the reason. "Srizbi may have contributed," he said, "but Rustock is also back."
Rustock, another botnet whose command-and-control servers were hosted by McColo, was partially restored when a Swedish Internet provider briefly stepped in 11 days ago to reconnect McColo to the Web. Even though McColo's connection was quickly severed by TeliaSonera after it received complaints, Rustock's controllers had enough time to instruct some of the bots to look to a Russian-hosted server for commands.