Botnets returned to service
It took only two weeks for the owners of the spam botnets to regain control after the closure of McColo hosting two weeks ago. This company was called the main spam hosting of the world, through which managed up to 75% of world spam. When McColo was closed on November 13, the amount of garbage on the Web dropped sharply by a factor of two or three, even in RuNet (as reported by Kaspersky Lab).
However, to date, spammers have been able to fully restore activity. Tuesday resumed activity of the Srizbi botnet. Reportedly, the attackers managed to move servers to control the botnet to another hosting, now in Estonia. The name of the hosting company is not reported.
The fact is that spammers were ready for such a development. Experts who carried out reverse engineering of Srizbi trojans say that the program code contains a new domain name generation algorithm every three days. The algorithm is needed for those cases if the client program can not contact the control center. Spammers, of course, know this algorithm and try to immediately register the necessary domains, through which they restore contact with the lost bots.
Until now, anti-spam companies have been able to outperform spammers and register domains for themselves. They have registered several hundred domains, but their financial resources are not unlimited. At some point, they stopped the process - and after three days, spammers have already registered five domains. Thus, the botnet owners managed to establish a connection with infected machines (there are about 100,000 of them), after which they immediately updated the client version of the Trojan.
')
Another Rustock botnet, which also acted through McColo, resumed work when one of the Swedish hosting companies, with good intentions, temporarily hosted McColo servers and connected them to the Internet. The owners immediately updated the client versions of the Trojan and transferred them to the control center in Russia.
However, to date, spammers have been able to fully restore activity. Tuesday resumed activity of the Srizbi botnet. Reportedly, the attackers managed to move servers to control the botnet to another hosting, now in Estonia. The name of the hosting company is not reported.
The fact is that spammers were ready for such a development. Experts who carried out reverse engineering of Srizbi trojans say that the program code contains a new domain name generation algorithm every three days. The algorithm is needed for those cases if the client program can not contact the control center. Spammers, of course, know this algorithm and try to immediately register the necessary domains, through which they restore contact with the lost bots.
Until now, anti-spam companies have been able to outperform spammers and register domains for themselves. They have registered several hundred domains, but their financial resources are not unlimited. At some point, they stopped the process - and after three days, spammers have already registered five domains. Thus, the botnet owners managed to establish a connection with infected machines (there are about 100,000 of them), after which they immediately updated the client version of the Trojan.
')
Another Rustock botnet, which also acted through McColo, resumed work when one of the Swedish hosting companies, with good intentions, temporarily hosted McColo servers and connected them to the Internet. The owners immediately updated the client versions of the Trojan and transferred them to the control center in Russia.
Source: https://habr.com/ru/post/45647/
All Articles