Network News

X My Profile
View More Activity

Spam Volumes Expected to Rise with Botnet Resurrection

Spam volumes could rise considerably over the next few days now that one of the world's largest networks of compromised computers used for blasting out junk e-mail was brought back to life tonight.

The "Srizbi" botnet, a collection of more than half a million hacked PCs that were responsible for relaying approximately 40 percent of all spam sent worldwide, was knocked offline two weeks ago due to pressure from the computer security community.

On Nov. 11, the Internet servers used to control the Srizbi botnet were disconnected when a Web hosting firm identified by security experts as a major host of organizations engaged in spam activity was taken offline by its Internet providers.

Turns out, Srizbi's authors had planned ahead for such a situation by building into each bot a fail-safe mechanism in case its master control servers were unavailable: A mathematical algorithm that generates a random but unique Web site domain name to check for new instructions and software updates.

With such a system in place, the malware authors can regain control over the bots merely by registering the Web site names that the infected machines are trying to visit and placing the instructions there.

According to FireEye, a security company in Milpitas, Calif., that has closely tracked the botnet's actviity, a number of those rescue domains were registered Tuesday evening, apparenly directing at least 50,000 of the Srizbi-infected machines to receive new instructions and malicious software updates from servers in Estonia.

FireEye senior security researcher Alex Lanstein said he fully expects spam volumes to recover to their pre-Nov. 11 levels within a couple of days.

"Srizbi was the spam king," Lanstein said. "And now it's back."

Much more to come tomorrow with the very interesting back story about how all this happened. Stay tuned.

By Brian Krebs  |  November 26, 2008; 12:05 AM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips , U.S. Government , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Two Weeks Out, Spam Volumes Still Way Down
Next: Srizbi Botnet Re-Emerges Despite Security Firm's Efforts


Well, rats. My volume has been down to about 2 per day, and practically none of the sexually offensive ones. Sorry to hear they are coming from Estonia, I admire their pioneering work in online voting.

Why don't the owners of the infected PC's notice the slowdown when the use of their computers for spam kicks back in?

Glad I have an Apple.

Posted by: dotellen | November 26, 2008 12:44 AM | Report abuse

Geee... Go figure.... Spammers outwitting industry.

I posted 2 weeks ago that this was coming.... Too bad nobody listened..

Posted by: indep2 | November 26, 2008 9:37 AM | Report abuse

"I posted 2 weeks ago that this was coming.... Too bad nobody listened.."

Listening to you would have done nothing. What an ignorant post.

"Glad I have an Apple" Really? Anyone can send you as much email as anyone else. There is absolutely nothing Apple can do about it. Apple is not your ISP. Another ignorant post.

Posted by: Hawaiian_Gecko | November 26, 2008 10:10 AM | Report abuse

gecko - I believe dotEllen was talking about not being botted. Macs do have that advantage since they aren't being targeted (right now). Also, on the day before Thanksgiving, you might want to take your clonazepam right now, you're a little wound up. Have a good day.

Posted by: Odymon | November 26, 2008 10:31 AM | Report abuse

Gecko - Slow down when you read. The 'Glad I have an Apple' quote was in refrence to the paragraph directly before it. If you go back and read the part you apparently skipped, it should make sense.

Posted by: SmallWhiteCar | November 26, 2008 10:41 AM | Report abuse

Yes, I was talking about not being botted. And my Safari program provided a security update yesterday morning, hope it helps.

Posted by: dotellen | November 26, 2008 11:10 AM | Report abuse

With these comments about spam coming from hacked computers, I wonder if my computer has been infected. About 4 weeks ago my email started to be very slow downloading. I can not delete messages every time. If I start deleting the minute email arrives I can do so most of the time, otherwise I have to wait. Also at time when the email has finished downloading, the lower right of the bottom bar says I have total of 52,000 messages and other times 13k - 15k messages. About this time I also started to get notices of skype messages from a porn site. Also, AIM would be showing up every time I logged on. I was surprised that I was getting skype messages because I had never turned it on to use it over the last 6 months. I have Norton updates and run Spybot Search and Destroy. Have I been hacked or is there something else going on. I have searched for the 52k emails supposedly on file but have not found them. Any suggestions?

Posted by: kjella | November 26, 2008 11:20 AM | Report abuse

Yep. Went from 2-4 pieces of spam in the filter for a while and now back up to 12-15. Still way better than the 50-75 that I used to get.

Posted by: BobT13 | November 26, 2008 11:24 AM | Report abuse

Posted by: Hawaiian_Gecko | November 26, 2008 10:10 AM

"I posted 2 weeks ago that this was coming.... Too bad nobody listened.."
Listening to you would have done nothing. What an ignorant post.
"Glad I have an Apple" Really? Anyone can send you as much email as anyone else. There is absolutely nothing Apple can do about it. Apple is not your ISP. Another ignorant post.

So you go online to point out other peoples posts to call them ignorant?

Can I call you pointless in response, without you getting bent out of shape?

The truth of the matter is, many people including me, warned everyone of how they were going to work around the problem to include providing lists of those “Alternate” domain names so they could be blocked at the DNS level….Nothing was done and now what we all warned them will happen is happening…

This could have all been avoided with 5 mins of work on a DNS server... But I wouldn’t expect you to understand that since you have pointed out that this kind of information is worthless to those that don’t care….

Enjoy your obviously blissful existence as an ignoramus.

Posted by: indep2 | November 26, 2008 11:24 AM | Report abuse

All I can say to people is to only use email software or email services that offer greylisting as part of their spam fighting tools.

"Greylisting (or graylisting) is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will "temporarily reject" any email from a sender it does not recognize. If the mail is legitimate, the originating server will try again and the email is accepted. If the mail is from a spam bot it will probably not be retried since a spam bot goes through thousands of email addresses and can not afford the time delay or does not have the functions to retry."

This will slow down your recieve time on inital emails if the sender is not known, but once the server approves the sender then email flows as normal.

This along with normal spam measures can reduce spam by like 95%. (Spam that actually makes it to a users mail box)

I use a product called Desknow for my email and I get only a few spam messages a week that actually make it inside my servers. And 99% of the time those are from people who are sending spam from Yahoo or Google mail servers. I get 0 spam from bot nets.

Posted by: tymiles | November 26, 2008 11:55 AM | Report abuse

@ kjella:
It definitely sounds like you've been infected. If you feel like fixing it on your own, I'd advise you to seek out some help on the web forums where people hang out to offer advice. Otherwise, take it to a shop in your community and they should be able to help you out.


Posted by: PeterFellenz | November 26, 2008 12:28 PM | Report abuse

> Posted at 12:05 AM ET, 11/26/2008

My theory is that there is no Brian Krebs. "Brian Krebs" has to be a committee to be posting at this hour, and sometimes before dawn :-)

Posted by: GWGOLDB | November 26, 2008 12:52 PM | Report abuse

People are "ignorant" in that they may lack knowledge or information. Obviously everyone is ignorant in some field.

Calling someone an "ignoramus," although it essentially merely means a person who is ignorant, can certainly be seen as pointless and mean-spirited, and therefore inappropriate, name calling.

There's no reason to stoop to that. People come here to share brief thoughts on a newspaper article. That's all, for Pete's sake. A simple lack of knowledge of things like DNS servers doesn't mean a person loses the right to post something clearly stated, such as, "Glad I have an Apple." (I am glad I have a Mac for the same, obvious, reason: it is, currently, less prone to this type of infection.)

People are clearly responding to your ill-will, not your knowledge. Please respond in the same vein.

Happy holidays to everyone.

Posted by: DFBrklyn | November 26, 2008 12:53 PM | Report abuse

Grey listing is but one more temporary safeguard the white hats have evolved to reduce time and energy in black listing. Pun is intended on the color commentary here, and it's the truth.

Believe me, bot programmers are well aware and could easily add functionality to resend. Matter of fact to reduce bandwidth they might create probes as a level one attack that solely intend to identify email servers that "tentatively reject". To build more lists of spammable addresses and find more machines to exploit via a new back door algorithm.

Folks, if you want to stop (not reduce) spam then two things need to happen:

1) Tighten up loose ends in the protocol that defines an E-Mail packet so spoofing is not allowed in any form.

2) Move anti-spam measures including filtering, lists of known spammers, and other security technologies at centralized servers - much like the root servers are structured for purposes of top level domain zone files and mappings. Move the burden off the end user.

3) Remove certain roadblocks to litigation so consumers have the ability to more easily class action sue and hold accountable and have a means to identify and seek cessation the activities of a potential spammer.

Of course none of this will happen - the Internet will no longer be a dynamic, open source non-centralized entity. Regulatory commissions will need to be established which have their own political agendas and bureaucracy. The corporations will want profit from the system, likely introduce advertising and gimmicks into normal E-Mail and then we deal with antitrust.

Yeah, I'm a worry wort. I'm also a pragmatist and wish to point out there real solution to maintain a free and secure mailbox is to do what has been stated all along: Keep your anti-virus, spyware and spam software up to date, don't open attachments unless it is from a known source and expected, and remember the human being is the weakest link in any security chain. Just be sensible and careful.

It's really that simple.


Posted by: JimGoldbloom | November 26, 2008 1:24 PM | Report abuse

Posted by: SportzNut21 | November 26, 2008 1:26 PM | Report abuse

Ignorance speaks - If the experts know so much about how this bot works, can't it be hijacked to spread news of it's own existance and how to remove it?

Posted by: j2hess | November 26, 2008 3:16 PM | Report abuse


Yes it can... Much like what some security people did with the Code Red Worm and some others....

The ironic thing is they actually go into trouble for it since they had to breach the same agreements that the virus writers did by entering your computer without your permission.

I know.... doesnt make sense right? You can thank the liberal judge who sentenced them...

So there you have it, yes it can be done but legally, no it cannot ;)

Posted by: indep2 | November 26, 2008 3:28 PM | Report abuse

"The ironic thing is they actually go into trouble for it since they had to breach the same agreements that the virus writers did by entering your computer without your permission.

I know.... doesnt make sense right? You can thank the liberal judge who sentenced them..."

Dead wrong. Even with the politicized judicial appointment systems across the US jurisdictions, in the end judges almost always do the right thing. For the general problem of barriers to technology research and solutions, blame the legislators who crippled research in the name of "intellectual property", and the businesses that paid for the new laws.

Speaking of business, some years ago I addressed a legislative committee on an architectural solution to effectively eliminate spam (inter alia) for business and anyone else that wanted it. I was somewhat astonished when the "security" industry reps there greeted the proposal initially with disbelief, then fear, then hatred. Being young and naive at the time, it took me a while to figure out why :)

Posted by: sr12 | November 27, 2008 3:47 AM | Report abuse

My point was that it is illegal to use a worm to destroy a worm...

Posted by: indep2 | November 28, 2008 11:34 AM | Report abuse

This is off topic, but appropriate for your column. Please STOP THE FLOATING ADS that cover the text of the article. I am currently looking at a blue rectangle that asks me if I want to participate in a survey - I DON'T! It appears on every article in today's WAPO and has done so over the past week. I don't click on boxes I don't know anything about, I just close the window. I CAN'T CLOSE THIS WINDOW except by clicking on the RED circled X. Who knows what could lead me to! I consider this a security issue and reload the page as many times as it takes to be free of this annoyance, or just skip the article. Please pass it on to whomever is responsible for these miserable intrusions.

Posted by: kamx3sj | December 1, 2008 11:44 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company