FireEye Malware Intelligence Lab

My colleague Julia will be expounding more on this point in the coming hours, but the long and short of it is that if this Botnet is not shut down very quickly (as in, all the hosts notified and/or cleaned up), it can be re-taken over simply by waiting until we miss a day of domains and registering them all in one fell swoop.  Worse, Julia has deciphered how the domains are generated such that if one person held all the seeds, s/he could register the domains that will be in use 20 days from now.  It becomes a little clearer now why the Bot owner didn't rush to register the domains.  And since I know the question will be asked, yes, if FireEye had so wished, we could have issued the "uninstall" command or updated the binary to render it useless.  However, making unauthorized system changes on hundreds of thousands of systems is not something we're in the business of doing.

As an update, at last count this afternoon, Srizbi is well over 450,000 Bots, and the number does not appear to be slowing.  We'll keep up with the domains for another couple days, but as money is not infinite, soon the new domains will be available for registration by anyone, including the Botnet owner, or someone who wishes to be a Botnet owner.

Here are a couple visual representations of the Srizbi Bots (Courtesy of J. Manni from FE)

Here is a sampling of the Bots in the US (ignore the blotch over Kansas - looks like there was only enough data to plot those IPs in the US so the ip to location database stuck it in the center).  This data set is from the 200k IP set from last week, so we'll regenerate this soon.

Alex Lanstein @ FireEye Malware Intelligence Labs

Comments/Questions to research@fireeye.com