Srizbi control regained by original owner
UPDATE: The Estonia based Command and Control servers have been kicked offline. I'll post more details of how this happened when I get the go ahead from the responsible party. The below information is still valid, but the addresses listed (except for the one in Frankfurt) are no longer reachable.
---
Srizbi has returned from the dead and has begun updating all its Bots with a fresh, new binary. The worldwide update began just a few hours ago. The new Command and Control servers are located in Estonia, and the domains registered through a registrar in Russia.
As has been publicized, Srizbi had a mechanism to dynamically generate the C&C to which it would communicate based on a seed (magic number) in the binary, and a variation of the Julian date of the infected host. Our next post will go into the technical details of this algorithm. This dynamic DNS generation mechanism was the main reason why they were able to regain control, even though the primary IP, hosted at McColo, was and is still not routable. As soon as we stopped registering domain names, the Botnet owner swooped in and began registering domains, as he was able to predict which would be in use today. These are the domains thus far, and the IP to which each currently resolves:
Name: gffsfpey.com
Address: 92.62.100.9
Name: ypouaypu.com
Address: 92.62.100.13
Name: oryitugf.com
Address: 92.62.100.12
Name: prpoqpsy.com
Address: 92.62.100.4
Name: wwqwseed.com
Address: 94.102.62.3
All are currently pointing to servers in Estonia, except the last which has the IP registered out of the Cayman Islands but is hosted in Germany. This is the progression of Srizbi's fallback:
First, the sample in our lab tried to connect to the hardcoded McColo server 208.72.169.22. After many unsuccessful tries, as a fallback mechanism, Srizbi generated 4 new domain names based on the current date. As the Bot herders had already registered today's DNS names, immediately after it resolved, the Bot connected to 92.62.100.13 on TCP/4099.
After successfully connecting, the first instruction was to update the binary (driver file). This updated binary had the new hardcoded Estonia based C&C, as opposed to the old McColo one. After the successful update, the next instruction was to download a new SPAM template, and begin a new campaign.
Srizbi Binary update:
An interesting nugget is that the initial SPAM email was set MIME encoded with the character set "koi8-r".
"KOI8-R is an 8-bit character encoding, designed to cover Russian, which uses the Cyrillic alphabets".
This means the initial Srizbi SPAM was intended for Russia (or a Russian speaking region), and all SMTP servers that the sample tried to contact ended in .ru. One of these servers was the largest bank in Russia. This is yet another tie of Botnets to Russia.
Srizbi Initial SPAM
In the coming days, many journalists and researchers will ask themselves: "How is it possible that the largest Botnet in the world was allowed to update itself, when a security firm had near complete control over it?". This is an interesting angle that we'll be exploring once all the technical facts are out on the table
Atif Mushtaq and Alex Lanstein @ FireEye Malware Intelligence Lab
Comments/Questions to research@fireeye.com
What about another approach - when you have C&C capabilities, you can display information to the computer's owner, like "Your computer is infected, please use antivirus and firewall"?
Posted by: Daniel | 2009.04.01 at 01:11 PM
It appears srisbi has now moved to Moldova with C&C passing through hostteam.org
Posted by: Kevin | 2008.11.29 at 02:30 PM
Michael:
DOesn't matter that the names aren't resolving... the IP addresses were all the botnet needed, and now those are hardcoded into the drivers for each bot.
And "liability if anything went wrong"?
Are you serious, Grant? So it might disable a few computers on accident. It's nothing an OS reinstall couldn't fix. They didn't shut it down because they probably couldn't technically do it.
Posted by: genewitch | 2008.11.28 at 12:00 PM
I'm no expert and my question is merely from my imagination, but can someone create a Botnet to counter/fight those spam Botnets?
Posted by: Joseph | 2008.11.27 at 10:05 PM
Sean,
The problem is. That poking some bot's in the lab.. and modifying software running out there in internet land are totally different propositions.
Much as I'm sure the researchers were tempted to execute the uninstall command on the entire botnet while they had c&c capabilities. the liability if anything went wrong would be theirs.
Grant.
Posted by: Grant Diffey | 2008.11.27 at 01:56 PM
Why would the spammers care about laws in the US, as most of them are from Russia and countries like this, where nothing prohibits them from doing what they are doing, and they will most probably be not caught or identified anyways as the Russian government does not really care much about issues like that. Just a law in the States makes no difference in the spam world.
Posted by: msx | 2008.11.27 at 08:37 AM
If the botnet downloads binary from the Command & Control server, then why on earth couldn't a binary have been made to disable the botnet? Surely this would be the simplest solution to these kind of problems?
Posted by: Sean Kenwrick | 2008.11.27 at 05:04 AM
Spamers CAN BE PERMANENTLY PUT OUT OF BUSINESS by a very simple law, which the Congress of the United States should pass. The law should make it a federal crime to create or use bots, or for Internet service providers and carriers to knowingly allow anyone to create or use bots using the service they provide. It should also make it a similarly punishable crime to send messages from bots within or into the United States. The knowing use of spam advertising by anyone should also be made a federal crime.
The punishment punishment for creating or using bots, or for sending within or into the United States messages from bots should be quite severe, say a mandatory 10 to 15 years in prison plus very large fines. The punishment for knowingly allow one's facilities to create or use bots should be a mandatory one to five years of prison for the entity's CEO and each of its officers responsible for the entity's operation, plus a fine that is equivalent to not less than the entity's one year gross income averaged over the last five years period, or based on the last 12 months of gross income, which ever is larger. The knowingly use of spam for advertising should carry a similar punishment.
With the largest market on earth, the United States of America, thus made very dangerous and unattractive to all involved in creating and transmitting spam, spam will be effectively stopped. It is all up to the U.S. Congress, and Congress can be made to act by sufficient public demand.
Posted by: Dr. Peter J. H. Walker | 2008.11.26 at 09:15 PM
I wonder if future work can be done to anticipate future domain names, and use that list to quickly find the web hosts as they get registered and shut them down?
Posted by: Vania Smrkovski | 2008.11.26 at 09:47 AM
All the domains that were reported above and a few others that appear to be related have been put on hold. They will not resolve anymore.
Have a great day,
Michael
Posted by: Michael | 2008.11.26 at 08:51 AM
I continue to remain in awe of your research, and I greatly look forward to see how this all pans out.
I'm also noticing that my own accounts are again receiving considerable amounts of spam again. Even so: this year, overall, has been very damaging, financially, for these criminals. And it's not even over yet.
Keep up the extremely good work.
SiL / IKS / concerned citizen
Posted by: SiL | 2008.11.26 at 06:26 AM
Hi!
Have you tried to contact DirectNIC in order to suspend these domains? Whois information is fake and this may be one of the reasons to suspend these domains.
Posted by: Samo | 2008.11.26 at 04:24 AM