Spam Warning: Presumed Dead Botnet Makes Massive Comeback
The fight against spam messages saw a turn for the best early November when McColo, a web host provider from Silicon Valley was shutdown. Perhaps the term best is not suited, sensational would be better if you keep in mind that overall, spam levels went down a staggering 80%. The Srizbi botnet, which before the McColo takedown was responsible for the greater part of spam messages flowing online, is now being brought back from the dead.
Matt Sergeant from MessageLabs, company that specializes in providing integrated messaging and web security services, comments: “In the last 24 hours Srizbi has managed to regain control of some of the botnet PCs which were inactive after the McColo shutdown. This has yet to result in a significant increase in spam volumes, however given this progression we expect to see spam volumes back to 'normal' levels in around a week's time.”
What exactly does MessageLabs senior anti-spam technologist Mat Sergeant mean by “normal levels”? I remember that back in July, a security report issued by MX Logic stated that the Srizbi botnet is responsible for 50% of all spam traffic. That is half of all the spam messages circulating all over the world, encompassing subjects like “genuric Viagra” or the grimmer “McCain dies”. More recent reports state the Srizbi is responsible for about 40% of all spam traffic, which is less than July’s percentage, but it is still considerably high.
Just to put things in perspective, it has been reported that about 500,000 infected machines from the Srizbi botnet, following the McColo takedown, automatically “rebooted”, which is to say that after a period of two weeks when spam levels were at an all-time low, these bot machines attempted to contact their McColo command and control servers. But since these were offline, they eventually connected to alternate servers in Estonia.
For a brief period of time (about three days) security experts managed to register several hundred web domains in an attempt to prevent the bad guys from regaining control of the Srizbi botnet. But since registering so many domains is a hefty enterprise, it was decided that keeping it up is not a financially viable solution. Once the decision to stop registering domains was taken, the guys behind Srizbi registered five domains, redirected the bots’ request to new command and control servers based in Estonia, updated the malware, and once again started to, drum rolls please, send out spam.
“We've stunted the spammers for a couple of weeks, which is a good thing for the Internet. We've increased their costs and, hopefully, that might put some spammers out of business,” added Sergeant.
Matt Sergeant from MessageLabs, company that specializes in providing integrated messaging and web security services, comments: “In the last 24 hours Srizbi has managed to regain control of some of the botnet PCs which were inactive after the McColo shutdown. This has yet to result in a significant increase in spam volumes, however given this progression we expect to see spam volumes back to 'normal' levels in around a week's time.”
What exactly does MessageLabs senior anti-spam technologist Mat Sergeant mean by “normal levels”? I remember that back in July, a security report issued by MX Logic stated that the Srizbi botnet is responsible for 50% of all spam traffic. That is half of all the spam messages circulating all over the world, encompassing subjects like “genuric Viagra” or the grimmer “McCain dies”. More recent reports state the Srizbi is responsible for about 40% of all spam traffic, which is less than July’s percentage, but it is still considerably high.
Just to put things in perspective, it has been reported that about 500,000 infected machines from the Srizbi botnet, following the McColo takedown, automatically “rebooted”, which is to say that after a period of two weeks when spam levels were at an all-time low, these bot machines attempted to contact their McColo command and control servers. But since these were offline, they eventually connected to alternate servers in Estonia.
For a brief period of time (about three days) security experts managed to register several hundred web domains in an attempt to prevent the bad guys from regaining control of the Srizbi botnet. But since registering so many domains is a hefty enterprise, it was decided that keeping it up is not a financially viable solution. Once the decision to stop registering domains was taken, the guys behind Srizbi registered five domains, redirected the bots’ request to new command and control servers based in Estonia, updated the malware, and once again started to, drum rolls please, send out spam.
“We've stunted the spammers for a couple of weeks, which is a good thing for the Internet. We've increased their costs and, hopefully, that might put some spammers out of business,” added Sergeant.
