In the fallout resulting from knocking McColo Corp. offline, this past week may prove to be a missed opportunity in the prevention of a dramatic reappearance of junk e-mail, as a botnet that once controlled 40 percent of the world?s spam apparently has found a new home.
The botnet Srizbi was knocked offline Nov. 11 along with Web-hosting firm McColo, which Internet security experts say hosted machines that controlled the flow of 75 percent of the world?s spam. One security firm, FireEye, thought it had found a way to prevent the botnet from coming back online by registering domain names it thought Srizbi was likely to target. But when that approach became too costly for the firm, they had to abandon their efforts.
?This cost us a lot of money. We engaged all the right people. In the end, it comes back to the fact that there wasn?t a process in place to do what we were trying to do,? said Alex Lanstein, senior researcher at FireEye. ?The day after we stopped registering the domains, the bad guys started picking them up.?
According to FireEye, Srizbi was the only botnet operating through McColo that had a backup plan in case their master control servers were ever unplugged: The malware contained a mathematical algorithm that generates a random but unique Web site domain name that the bots would be instructed to check for new instructions and software updates from its authors.
Shortly after McColo was taken offline, researchers at FireEye said they deciphered the instructions that told computers infected with Srizbi which domains to seek out. FireEye researchers thought this presented a unique opportunity: If they could figure out what those rescue domains would be going forward, anyone could register or otherwise set aside those domains to prevent the Srizbi authors from regaining control over their massive herd of infected machines.
In addition, by registering the domains, FireEye, a startup, could gain valuable intelligence, such as where the individual bots were located and how many there were. The problem, FireEye quickly found, was that each variant was designed to seek out a different set of four rescue domains every 72 hours. To make matters worse, the company identified more than 50 variants of Srizbi in circulation, impacting 500,000 systems. Those that were deficient or ill-programmed in some way controlled fewer victims ? anywhere from a few hundred to a few thousand computers. The more virulent strains of Srizbi, however, controlled upward of 50,000 systems, FireEye found.
That meant that to prevent the Srizbi authors from regaining control over their herd, FireEye would have to register more than 450 domains each week just to stay a step ahead of the bad guys. But each domain name registered costs money. FireEye spent $4,000 buying up future domains that might be sought by stranded Srizbi bots.
FireEye researchers thought that with that kind of firepower at their fingertips, they could have instructed each of the infected systems to uninstall the bot program. But the FireEye researchers surmised that such an action would not only be illegal but that commanding all of the bots to uninstall their infectious code would run the risk of doing serious damage to the systems. Srizbi, like most other sophisticated botnet programs these days, hooks into systems at a fundamental level, and removing it occasionally causes an infected system to stop working altogether.
?We could tell these bots to uninstall themselves from most of the machines, and the whole process would probably take a few seconds,? Lanstein said. ?But even if it were legal to do this, what would happen if removing the malicious software messes up some of these machines even worse??
Srizbi had already shown it was fully capable of resurrecting itself. Joe Stewart, director of malware research for Atlanta-based SecureWorks, has documented how the Srizbi botnet?s built-in rescue system can bring a lost herd of hacked computers back into the fold.
In October 2007, a massive blast of spam was sent through the Srizbi botnet promoting U.S. presidential candidate and libertarian Ron Paul. SecureWorks found that the control servers used by Srizbi for that spam run were all located at McColo, and reported the location of those servers to the now defunct hosting provider. Stewart said McColo responded by changing the Internet addresses of those control servers, which was enough to strand all of the bots seeking new instructions. When the backup mechanism in the bots caused them to search for new Web site names a few days later, the criminals who controlled the network were able to regain control over it by registering those Web site names.
A week ago, FireEye researcher Lanstein said they were looking for someone else to register the domain names that the Srizbi bots might try to contact to revive themselves. He said they approached other companies such as VeriSign Inc. and Microsoft Corp. After FireEye abandoned its efforts, some other members of the computer security community said they reached out for help from the United States Computer Emergency Readiness Team, or US-CERT, a partnership between the Department of Homeland Security and the private sector to combat cypersecurity threats.
Officials at US-CERT, however, have not responded to e-mails and phone calls requesting an interview about this story.
If others had gotten involved, there were a couple scenarios that could have played out. One was for an ISP or registrar to gain clearance to ?sinkhole? all of the Srizbi bots, essentially tying them up eternally by pretending to have the instructions the bots were seeking but never quite giving those bots the complete answer. The other was for an accredited registrar to register all of the domains sought by the Srizbi variants.
Ultimately, the FireEye researchers, under pressure from their managers to stop incurring expenses for registering the domains stopped their efforts Nov. 24. According to FireEye, sometime on Nov. 25, unknown individuals in Russia apparently registered the remaining domains, thereby regaining control over the world?s largest spam botnet.
Devnet allow our customers to have a 21 day test drive of Postini Email Security, which helps prevent your company from being affected by such issues.