FireEye Malware Intelligence Lab

This post will dive into the algorithm by which Srizbi decides which domain name to contact on a given day

UPDATE:  The Estonia based Command and Control servers have been kicked offline.  I'll post more details of how this happened when I get the go ahead from the responsible party.  The below information is still valid, but the addresses listed (except for the one in Frankfurt) are no longer reachable.

---

Srizbi has returned from the dead and has begun updating all its Bots with a fresh, new binary.  The worldwide update began just a few hours ago.  The new Command and Control servers are located in Estonia, and the domains registered through a registrar in Russia.

UPDATE:  There was an abuse notification sent to LayeredTech by my co-researcher Alex Lanstein earlier this morning. As a result LayeredTech seems to have pulled the server. 'sdx3Fs5B.info' still has an A entry for the IP, but it is no longer responding.  Perhaps colos are starting to pay more attention to botnets and abuse notifications?

----------------------------------------

Rustock and its SPAM are back. All Rustock variants which were able to update themselves during McColo's brief return on 15 Nov 2008, are back with new nasty SPAM campaigns.

The updated Rustock binaries in our lab since the shutdown have been trying to connect to different CnC servers to look for more commands, but either the domains were not resolving or the servers were not acknowledging Rustock's login requests. This no longer appears to be the case. Today, one of the new CnC servers, 'sdx3Fs5B.info' which is currently resolving to 72.233.114.74 (abuse notification to LayeredTech sent), started to respond. After accepting the login, the next instruction was to download new spam templates. Immediately after receiving the templates, the samples started sending SPAM.

To me, charts and graphs illustrate trends much more clearly than a <table> does.  Below I'll show the number of unique IPs over time, the number of unique IPs per hour, and the breakdown by domain for the fallback channels of Rustock and Mega-D. 

FireEye researchers have tested and thus recommend the following steps for victims of Srizbi to remove the infection. Some basic level of expertise with Windows system administration is required to perform these steps.  This material is provided "as is", with absolutely no warranty expressed or implied.

Not to sound the panic alarm, but it appears that I was slightly off base earlier with my comment that the Srizbi fallback C&C domains were hard coded in the sample.  It's true that the seed was hard coded, and that multiple samples had the same seed, but the domain name generated appears to be a function of the local time as well, which explains the ~36 hour window I was seeing.  There do appear to be some retry timeouts as well that dont kick in exactly as the day begins, so this may be another reason it wasn't immediately evident earlier. 

As promised, a few more thoughts on fallback Command and Control channels and the Botnets that implement them

As we predicted in an earlier post, Rustock began it's global update last night to change the Command and Control servers from McColo to a data center in Russia.  We believe that the Rustock controllers don't expect McColo to be very stable in the near future, so they are hedging their bets and moving the C&C's to a different provider.

UPDATE:  Although the below is still interesting data, Telia has withdrawn the routes for McColo's net blocks

As we were monitoring Srizbi and Rustock in our labs today, all of a sudden a sample from the lab started connecting to a routable  McColo C&C server. This McColo hosted C&C server, with an IP of 208.66.194.22, was again fully responding to Rustock.  It appears they're back!  The best part about this story is that they haven't physically moved their servers... they're still in Market Post Tower in sunny San Jose.  Telia (whom I contacted) appears to have low enough standards that they are providing McColo a new cross-connect.