IT Security Blog

Microsoft has announced that they have added Srizbi botnet code detection to their Malicious Software Removal Tool (MSRT) with its latest update.  As mentioned in the article, Microsoft claimed victory over the Storm botnet by cleaning up over 91,000 Storm infected PCs within 24 hours of their initial Storm heuristics were released back in September 2007.

As with when the original Storm botnet was mostly eradicated, Srizbi isn't a major player in the spam wars these days.  The Srizbi botnet never quite recovered from its days as one of the most prevalent spam botnets after McColo was shut down back in November.  The Cutwail and Mega-D botnets who were also largely affected by McColo are doing quite well for themselves, however.

As Joe Stewart said in the article, Microsoft would have served itself better to go after one of the newer botnets on the scene, like Xarvester or Donbot, or even Cutwail or Mega-D.  With all of the news surrounding Confickr and how that botnet still lies in waiting to come alive that would be another prime candidate to target.  I agree with Joe where he said it will be nice to get these machines cleaned up, but it isn't going to have an affect on spam volumes.

Apparently you just can't keep a good botnet down.

As expected, the honeymoon that we have been on since the November 11th shutdown of McColo is over.  As we discussed in our previous post about the volume declines after the McColo shutdown, the Rustock botnet was able to update some of its infected machines during an approximately 12 hour period that McColo was brought back online by TeliaSonera, a Swedish ISP.  Rustock has come back and come back strong over the past few days mostly sending out Canadian Pharmacy spam (one of our all time favorites).








Above are traffic graphs for the three major botnets that were affected as a result of the McColo shutdown.  The big dropoffs for Srizbi and Mega-D are both on November 12 (the day after McColo was taken offline).  Traffic from both the Srizbi and Mega-D botnets have been virtually non-existent since the 12th.

The Rustock spike started on November 20, about 5 days after McColo was temporarily brought back online. 

Just to keep us all on our toes, we've even seen some signs of life from the Storm botnet that most of us had written off for dead.  Although it is felt that some of this traffic was coming from poorly configured Barracuda devices, we're still keeping an eye out in the event that there is potential of this botnet coming back.

Despite the resurrection of the Rustock botnet, overall mail volumes are still down about 30-35% from where they were prior to November 11.  Today, Fireeye is reporting that the Srizbi botnet is back under the control of its original owners and that new command and control servers have been registered in Russia.  So, it stands to reason that Srizbi will not be dormant for much longer before we start to see spam volumes increasing again.  The last two weeks has been a nice holiday before the holiday, but it looks like we are very quickly getting back to business as usual....and that's just the way I like it!

Last week we reported the significant decrease in spam volumes as a result of the shutdown of McColo, a hosting provider that was catering to spammers.  I wanted to take a few minutes and lend a bit more color and data to what we originally reported now that we have had a few days to let the real effect soak in.

We continue to see over an over 50% decline in total mail flow (all spam).  In fact, that percentage appears to have leveled off at over 60%.  A bit lower than the 75% reduction some are reporting, but no matter how you slice it the effect has been more than significant.

Below is a graph outlining hourly mail flow patterns since November 1:



The significant drop-off that you see about two-thirds of the way through the graph correlates directly with the McColo shutdown on 11/11.  According to our stats that dropoff occurred during the 1pm MST hour on the eleventh. 

A couple of botnets in particular appear to have been severely debilitated as a result of the McColo shutdown.  Those are the Srizbi, Rustock, and Mega-D botnets.  Traffic associated with the Mega-D botnet (named such because of its advertisement of male enhancement products) has declined over 95% since 11/11 and Srizbi volume has declined by over 80%.






Sophos is reporting that McColo was briefly brought back online this weekend by a Swedish ISP named TeliaSonera.  After receiving many complaints about the matter from security researchers they were taken offline again, but not before the folks responsible for the Rustock botnet were able to release a code update to their bots to point them away from McColo.  It is unclear at this point whether that update was released to a significant base of Rustock infected PCs, but it does breathe new life into a botnet that had briefly been put on life support.  So far today we are not observing any significant effect as a result of the Rustock update. 

Spam percentages have also taken a big hit as a result of the decline in spam volume.  For the past 2 years we have been reporting spam at about 90% of all email traffic on the internet.  Since the McColo shutdown those volumes have occasionally dipped down in the low-to-mid 70 percent range, percentages that we have not seen the likes of which since the first quarter of 2006.

Although the short-term effect of the McColo shutdown has been significant we still do not believe that spam volumes will be affected over the long haul.  Botnets come and go and malware techniques will continue to evolve.  As Storm declined in volume, botnets like Srizbi, Mega-D, Rustock, Cutwail, and others have been more than ready to pick up the slack.  The punch line to all of this remains the same.  The people who can have the most impact in continuing to win battles in the battle against spam are the people who are providing domain registrar service, DNS service, and ultimately bandwidth service to bots and botnet owners.  If bots cannot communicate, they cannot thrive.  The events of the past week have been a perfect example of that.

Worm Alert!

We are currently seeing high volumes of a new spam run that contains a link to an pornographic web site that contains an ActiveX malware component.  Our Threat Operations Center started seeing these messages at about 6am today and thus far we have received over 8 million of them (accounting for over 85% of our worm traffic over the past 24 hours).  From what we can tell thus far the malware appears to be related to the Srizbi botnet.

There is no specific lure here as the subject lines to these messages are fairly random, but are trying to generate interest based on fake news stories.  Here are some example subject lines that we have seen so far:

Batman latest movie bombs at box office
Britney found hanged in locker room
Celtics disqualified from NBA title
China Earthquake claims 1 million lives
Dan Brown's latest novel
David Cook American Idol - latest NEW single
Donald Trump missing, feared kidnapped
Egypt Giza pyramids rocked by massive earthquake
Eiffel Tower damaged by massive earthquake
Eiffel Tower suffers structural damage, collapse possible
Find out about Harry Potter's last novel
Ford unveils latest 2 door design hatch
Get Smart -- movie premiere
Get star wars photos
Get the latest discount plan from Ford Cars
Great Wall of China damaged by earthquake
Hiliary admits past failures
Hillary Clinton reveals husband's scandal secrets
Italy knocked out of Euro 2008
Las Vegas Hotel caught in fire
Lastest! Obama quits presidential race
London rocked by gas attack, army on high alert
Love Guru sneak previews here
Man wakes up from 40 year coma
Nokia unveils revolutionary new phone design
Obama suffers setback in polls due to sex secrets
Obama withdraws from elections
Oprah found sleeping the streets
Osama Bin Laden caught finally
Paris Hilton found to be gay
Saddam Hussein found dead
Star Trek star dies at age 79
Statue of Liberty struck by lightning, catches fire
Stonehenge damaged by massive earthquake
Top 10 movies of all time
Top comedy downloads
Top film from the Cannes
Turner Empire poised for bankruptcy file
Usher and Rihanna making out
Watch movie premieres now
White House hit by lightning, catches fire
Windows Vista URGENT upgrade installation

The messages themselves are one liners followed by a link to a YouTube look alike site called PornTube where the user is prompted to install a malicious Active X control.  Most of the links that we have seen thus far point to a file named r.html at the end if the URL such as (obfuscated since most are still hosting active malware at the time of this posting):

hxxp://envol-restaurant.com/r.html

hxxp://spizarnia.nazwa.pl/r.html

hxxp://wandea1.wandea.org.pl/r.html

Upon visiting these sites you will see the PornTube site in the background and you get the following popup window:

If you click OK, the ActiveX control is installed and your PC is infected, however clicking the Cancel button displays this popup:

At this point you can get yourself into an endless loop of clicking the OK button on this window and the Cancel button on the previous window.  The only way out of this (in Windows) is to kill your browser window via the Task Manager (or infect yourself, but let's assume that you don't really want to do that :) ).

Keep on the lookout for these as they are currently being distributed in fairly high volumes. 

*** UPDATE 6/20/2008 12:00pm MDT *** After volumes peaking at about one million instances of this worm being seen per hour, as of early this morning it has dropped off to only about 5 thousand per hour.  Looks like this one hit quick and is now tailing off.