My 12/07/08 Missoulian column
Hopefully, you have received less spam and phishing e-mails over the last month due to the take down of a major hosting company called McColo, which effectively stopped hundreds of thousands of infected PCs from sending spam. (Like I’ve written in the past, don’t open spam e-mails or click on links, no matter how curious you are and how well you think your anti-virus and anti-spyware software works.)
In any event, this is part two of the story of the spam drop off, McColo, their computer servers in San Jose, Calif., and the Security Fix blog at the Washington Post, written by Brian Krebs – who broke the story and helped get McColo disconnected – and who continues the story.
On Nov. 12, a major botnet called Srizbi found itself without a home on the Internet when McColo was cut off. The Srizbi botnet – like many other botnets – is a collection of PCs (at homes, offices, in governments, etc.) that have been compromised by malware sent out by the botnet owners. Their malware gets installed when you click on a spam e-mail link or visit a Web site designed to plant the malware. Your PC can be vulnerable to malware if anti-virus software is missing or out of date, or if security patches are missing or out of date (or, in some cases, the security problems are not yet fixed).
Once malware is installed, a PC becomes part of the botnet and can be remotely controlled by the botnet “herders” that control hundreds of thousands of PCs. Botnets are used to send billions of spam e-mails a day, pitching everything from pharmaceuticals to pornography to malware, to capture more PCs into the botnet.
On Nov. 12, McColo was disconnected from their own Internet provider. This was a big development in the world of spam: a commercial hosting company getting shut down due to peer pressure from the press and security researchers. Within an hour, worldwide spam levels dropped like a rock, down 50 percent or more.
But the Srizbi botnet programmers were ready for the possibility of being cut off from their PCs by loss of their hosting, and they had built into their system a way to recover and regroup and continue to send spam and make money for themselves.
The hundreds of thousands of PCs in any botnet don’t control themselves; they require a sophisticated command and control structure, just like an army of that size. Without command and control, a botnet is as good as dead. When McColo went offline and took the botnet servers down with it, all those PCs in the botnet quit sending spam.
But the Srizbi programmers had planned ahead. If their army of PCs ever lost touch with the original control servers, the controlling software would wait and then attempt to reconnect to different Internet domains to receive instructions to reassemble the botnet. It was a very intelligent “Plan B” to hopefully ensure the survival of the botnet if it was disconnected.
That’s where another important player in the story – a company called FireEye, a security firm – comes in.
Researchers at FireEye discovered the sophistication of Srizbi and its abilities to wait and try to reassemble itself when they reverse engineered the malware from infected botnet PCs.
FireEye found that Srizbi was the only botnet operating through McColo that had plans in place if control servers were ever lost from their hosting company. The botnet software contained an algorithm that would generate a random Web site domain name so the PCs could check for software updates from its programmers. (The botnet used to communicate with its controllers through domains at McColo, but when those domain names became known to other hosting companies around the world, the botnet needed fresh domain names to connect to.)
When researchers at FireEye discovered many of the domain names that the botnet PCs would check – programmed into the malware – they realized it might be a key to keep Srizbi offline. If they could register those domains before the Srizbi bot PCs looked for them, they could stop the botnet from updating and essentially keep it dead.
For $10 or less, anyone can register a domain for a year and then “host” it at a hosting company to make it “live” on the Internet. FireEye realized they could register those domains to prevent the Srizbi programmers from regaining control over their botnet. (The Srizbi programmers hadn’t registered all those domains in advance in order to keep them secret, and must have planned to register them in bulk as the botnet PCs looked for them.)
But FireEye couldn’t keep up with registering and paying for 400-500 domains a week. The company even considered deprogramming the bots when they connected to a FireEye-owned domain and killing off the Srizbi bots thousands at a time, but that route was fraught with technical and legal issues.
However, registering all the domain names wasn’t as critical as thought; owning domains is only part of the control structure for commanding a botnet. Those domains must be hosted by an Internet service provider, and when Srizbi tried to host some of the new control domains at an ISP in Estonia – maybe thinking they were beyond law enforcement and beyond peer pressure – they were cut of there, too, according to Computerworld.
Interestingly enough, law enforcement still hasn’t caught up with the Srizbi and McColo story, according to Computerworld. On Oct. 14, before McColo was shut down, the Federal Trade Commission, along with the FBI and the New Zealand Police, announced they had shut down and international spam network known as HerbalKing.
According to The New York Times, “The government is also pursuing criminal charges against the group. FBI investigators in Chicago and St. Louis have executed search warrants against members of the spam gang, the commission said.”
And in that same piece, “Anti-spam researchers lauded the crackdown and said it would send a strong message to other spammers. But they were not confident that spam volumes would decrease.” And it was true. Spam levels went back to normal within a week. Until McColo was disconnected about a month later.
But according to Computerworld, “no federal agency – not the FTC, the FBI, the Secret Service or the Department of Justice – was involved in shutting (McColo) down.” That echoes what Krebs at Security Fix has written – law enforcement in the McColo take down has been nonexistent.
But “there’s a reason why we didn’t just go and grab all the servers,” a source in law enforcement said in Computerworld. “If you want a warrant for hundreds of servers … that’s very difficult.” Especially when the criminals associated with McColo “are thought to live in Russia and Eastern Europe, where computer crimes are rarely prosecuted”.
The Srizbi botnet story will no doubt continue, as will the questions: Will Srizbi rise again if it can find hosting that is beyond the reach of security researchers and peer pressure? Is taking down hosting companies that give Internet homes to botnet controllers mostly the job of security researchers and the press and not law enforcement?