
How the Srizbi botnet escaped destruction to spam again - alexandros
http://ebiquity.umbc.edu/blogger/2008/11/30/how-the-srizbi-botnet-escaped-destruction-to-spam-again/
======
nickb
_Unfortunately, FireEye did not have the resources to carry out its plan and
was forced to abandon it, but not before seeking help from other companies and
organizations with deeper pockets.

File this one under opportunity, lost._

Grrrrr :( I'm pretty sure they could have raised enough by donations. I'm sure
HN people would have donated.

And the snubbing by VeriSign and Microsoft... the companies that own
registrars and have billions in revenue?!? Come on! Did they reach the right
people at these companies? Who said no to them? Must have been a breakup in
communication somewhere.

------
streety
The article quoted is:
[http://voices.washingtonpost.com/securityfix/2008/11/srizbi_...](http://voices.washingtonpost.com/securityfix/2008/11/srizbi_botnet_re-
emerges_despi.html)

The important bit for me was:

"The problem, FireEye quickly found, was that each variant was designed to
seek out a different set of four rescue domains every 72 hours. To make
matters worse, the company identified more than 50 variants of Srizbi in
circulation, impacting 500,000 systems. Those that were deficient or ill-
programmed in some way controlled fewer victims -- anywhere from a few hundred
to a few thousand computers. The more virulent strains of Srizbi, however,
controlled upward of 50,000 systems, FireEye found.

That meant that to prevent the Srizbi authors from regaining control over
their herd, FireEye would have to register more than 450 domains each week
just to stay a step ahead of the bad guys. But each domain name registered
costs money. FireEye spent $4,000 buying up future domains that might be
sought by stranded Srizbi bots."

It would be interesting to see what sort of intelligence they were able to
gather while they were running this operation.

------
Herring
They couldn't roll out updates? I heard the botnet writers hardcoded some
sites after they regained control.

.

 _"The updated Srizbi includes hard-coded references to the Estonian command-
and-control servers [..]"_

[http://www.computerworld.com/action/article.do?command=viewA...](http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121678)

~~~
sireat
Strange that the C&C servers are in Estonia still, one would imagine EU and
for that matter Estonia itself could take matters in its own hands, if
appropriate authorities could be provided with a list of those servers.

------
alexandros
Aside from the obvious stupidity of the 'established players', i have to say,
that is one hell of a bootstraping technique.

~~~
cturner
> Aside from the obvious stupidity of the 'established players'

Surely it's a short-term solution at best? As soon as one bot network is
killed like this then another will emerge with more complex (and costly to
patch) security measures - ?

Wouldn't it be easier to attack it at the DNS management level itself? Model:
have a provision for creating a kill list for domain names that extends from
ICANN down to the registrars. Would allow ICANN to blacklist certain names.

~~~
alexandros
Whatever level the nevessary action needed to be performed on, it needed the
big boys (and girls) to get involved. And the chance has been lost for this
round it seems.

Thinking about your solution a bit more though, and it does sound good at
first, what happens when the black list starts approaching a material
percentage of the total of usable domain names? are we eventually going to
blaclist the entire domain-space? This is just another reason why DNS is very,
very broken.

~~~
kragen
What do you think a non-broken replacement for DNS would be like?

~~~
alexandros
just because I mentioned the problem does not mean I have the solution :). If
I had to venture a guess, I would say it would look much more like a
distributed identity/trust model than the current semi-centralized DNS
solution.

~~~
kragen
I agree that DNS is pretty broken, and it's a really important problem to
solve. I was hoping you might have insights on what to do ;)

