The creator of the Srizbi Botnet seems to be very witty with the actions that have allowed the Srizbi Botnet to re-emerge despite the actions of the security community.
The Srizbi Botnet may be one of the most infamous spamming network for computers that have been compromised. It is believed that around 40 percent of the world's spam is connected to the Srizbi Botnet which was knocked offline on November 11th in conjunction with web hosting company McColo. The McColo firm was belived to have hosted many of the computers that controlled the flow of about 75 percent of the world's spam. You may be asking the question "why was this hosting firm not shut down sooner?" Well, one security firm thought that it discovered a way of preventing the Srizbi Botnet from coming back online but was sought to be too expensive. FireEye was the security firm that attempted this process.
Alex Lanstein, a senior researcher at FireEye, said "This cost us a lot of money. We engaged all the right people. In the end, it comes back to the fact that there wasn't a process in place to do what we were trying to do…" The day after we stopped registering the domains, the bad guys started picking them up."
What was FireEye's plan to stop Srizbi Botnet?
FireEye discovered that the Srizbi Botnet had a back-up plan in the case that their master control servers were unplugged. This was the only botnet working through McColo that had such countermeasures put in place. It was apparent that when the shut-down of McColo took place, the systems infected with the Srizbi Botnet started an automated process to seek out certain domains. It seems the domains were rescue domains that allowed the Srizbi authors to regain control of the infected systems. FireEye attempted to purchase these rescue domains but that is where the large costs come into play. Over 450 domains would have to be registered each week to keep up with the Srizbi creators during the rescue process. This would end up costing large amounts of money that FireEye was not prepared to spend.
With a process put in place by FireEye through obtaining the Srizbi domains it would give them the ability to instruct the infected machines to uninstall the botnet program. This action would actually be illegal to perform and could result in damage to the systems. This is another good-well attempt that would fail miserably. Other actions such as contacting US-CERT (United States Computer Emergency Readiness Team), which is a partnership between the Department of Homeland Security and the private sector to combat cybersecurity threats, have been attempted but as of yet no response has been received for such assistance. Unfortunately, security firms suspect that spam levels will be back up to what they were before the shut-down of McColo.
What does this have to do with me?
Knowing this information may prompt more computer users to take certain measures to protect them from spam attacks such as those generated by the Srizbi Botnet. You must remember that the Srizbi Botnet may account for a large portion of general spam sent through the Internet. As you may already know from first-hand experience with spam messages, they may include malware downloads or links to malicious sites that could seriously damage your system or steal valuable information from your computer.
Do you think other future attempts to combat the Srizbi Botnet will be successful? Do you think the Srizbi Botnet is just too robust to take down and the hackers have ultimately won this battle for now?