« October 2008 | Main | December 2008 »

15 posts from November 2008

2008.11.25

Technical details of Srizbi's domain generation algorithm

This post will dive into the algorithm by which Srizbi decides which domain name to contact on a given day

Continue reading "Technical details of Srizbi's domain generation algorithm" »

Srizbi control regained by original owner

UPDATE:  The Estonia based Command and Control servers have been kicked offline.  I'll post more details of how this happened when I get the go ahead from the responsible party.  The below information is still valid, but the addresses listed (except for the one in Frankfurt) are no longer reachable.

---

Srizbi has returned from the dead and has begun updating all its Bots with a fresh, new binary.  The worldwide update began just a few hours ago.  The new Command and Control servers are located in Estonia, and the domains registered through a registrar in Russia.

Continue reading "Srizbi control regained by original owner" »

2008.11.24

Rustock is Back...

UPDATE:  There was an abuse notification sent to LayeredTech by my co-researcher Alex Lanstein earlier this morning. As a result LayeredTech seems to have pulled the server. 'sdx3Fs5B.info' still has an A entry for the IP, but it is no longer responding.  Perhaps colos are starting to pay more attention to botnets and abuse notifications?

----------------------------------------

Rustock and its SPAM are back. All Rustock variants which were able to update themselves during McColo's brief return on 15 Nov 2008, are back with new nasty SPAM campaigns.

The updated Rustock binaries in our lab since the shutdown have been trying to connect to different CnC servers to look for more commands, but either the domains were not resolving or the servers were not acknowledging Rustock's login requests. This no longer appears to be the case. Today, one of the new CnC servers, 'sdx3Fs5B.info' which is currently resolving to 72.233.114.74 (abuse notification to LayeredTech sent), started to respond. After accepting the login, the next instruction was to download new spam templates. Immediately after receiving the templates, the samples started sending SPAM.

Continue reading "Rustock is Back..." »

2008.11.20

Do AntiVirus Products Detect Bots?

  
Picture 269

Continue reading "Do AntiVirus Products Detect Bots?" »

2008.11.18

Rustock and Mega-D fallback domains

To me, charts and graphs illustrate trends much more clearly than a <table> does.  Below I'll show the number of unique IPs over time, the number of unique IPs per hour, and the breakdown by domain for the fallback channels of Rustock and Mega-D. 

Continue reading "Rustock and Mega-D fallback domains" »

Srizbi rootkit removal instructions

FireEye researchers have tested and thus recommend the following steps for victims of Srizbi to remove the infection. Some basic level of expertise with Windows system administration is required to perform these steps.  This material is provided "as is", with absolutely no warranty expressed or implied.

Continue reading "Srizbi rootkit removal instructions" »

Not to sound the panic alarm...

Not to sound the panic alarm, but it appears that I was slightly off base earlier with my comment that the Srizbi fallback C&C domains were hard coded in the sample.  It's true that the seed was hard coded, and that multiple samples had the same seed, but the domain name generated appears to be a function of the local time as well, which explains the ~36 hour window I was seeing.  There do appear to be some retry timeouts as well that dont kick in exactly as the day begins, so this may be another reason it wasn't immediately evident earlier. 

Continue reading "Not to sound the panic alarm..." »

2008.11.16

Fallback C&C channels

As promised, a few more thoughts on fallback Command and Control channels and the Botnets that implement them

Continue reading "Fallback C&C channels" »

Rustock's new home in cyberspace... Russia!

As we predicted in an earlier post, Rustock began it's global update last night to change the Command and Control servers from McColo to a data center in Russia.  We believe that the Rustock controllers don't expect McColo to be very stable in the near future, so they are hedging their bets and moving the C&C's to a different provider.

Continue reading "Rustock's new home in cyberspace... Russia!" »

2008.11.15

McColo found a new upstream provider (update)

UPDATE:  Although the below is still interesting data, Telia has withdrawn the routes for McColo's net blocks

As we were monitoring Srizbi and Rustock in our labs today, all of a sudden a sample from the lab started connecting to a routable  McColo C&C server. This McColo hosted C&C server, with an IP of 208.66.194.22, was again fully responding to Rustock.  It appears they're back!  The best part about this story is that they haven't physically moved their servers... they're still in Market Post Tower in sunny San Jose.  Telia (whom I contacted) appears to have low enough standards that they are providing McColo a new cross-connect.

Continue reading "McColo found a new upstream provider (update)" »

Add to Googleaddtomyyahoo4

Enter your email address:

Delivered by FeedBurner

In The News