|
|
Later that month, a statement from MessageLabs attributed to senior anti-spam technologist at Matt Sergeant said "Srizbi, having once been responsible for 50 per cent of all spam, is now completely defunct. Without this botnet, spam levels won't return to what they had been."
That statement appears to have been premature.
It seems that the Srizbi code had been developed with an eye to recovering from such a situation.
If a Srizbi bot loses contact with the server, it uses an algorithm to generate a seemingly random (but time-dependent) domain name, at which it attempts to contact a server.
So all that was necessary was to register one of those names in time for the bots to attempt to contact it.
While security firm FireEye spent at least $1500 registering names that the botnet would attempt to use, "as money is not infinite, soon the new domains will be available for registration by anyone, including the Botnet owner, or someone who wishes to be a Botnet owner."
And that, it appears, is what happened. Someone registered a set of domain names and used them to regain control over the Srizbi botnet.
According to the Washington Post, VeriSign, Microsoft and the US Computer Emergency Readiness Team (US-CERT) had been asked to assist in either buying up (or tying up) the domains ahead of time, with no apparent response.
The new Srizbi servers located in Estonia were subsequently shut down before much spam could be pumped out, according to The Register, although one server located in Germany was still active at the time of the report.
According to FireEye, the most active botnets are currently Pushdo/Cutwail and Bobax/Kraken.
