Srizbi Botnet Resurrects Itself. Interesting Technique.
Despite several efforts to bring it down (including the takedown of a major hoster, McColo, which hosted the primary server), the Srizbi network, comprising half a million “zombie PCs” and accountable for approximately 40% of all spam traffic, resurrected itself using an interesting technique: Its bots try to reach domains based on some (not yet disclosed) algorithm.
[quote]According to FireEye, Srizbi was the only botnet operating through McColo that had a backup plan in case their master control servers were ever unplugged: The malware contained a mathematical algorithm that generates a random but unique Web site domain name that the bots would be instructed to check for new instructions and software updates from its authors.
The problem, FireEye quickly found, was that each variant was designed to seek out a different set of four rescue domains every 72 hours. (…) That meant that to prevent the Srizbi authors from regaining control over their herd, FireEye would have to register more than 450 domains each week just to stay a step ahead of the bad guys.
(…) According to FireEye, sometime on Nov. 25, unknown individuals in Russia apparently registered the remaining domains, thereby regaining control over the world’s largest spam botnet.[/quote]