After being stranded for weeks, a monster botnet responsible for an estimated 40 percent of the world's spam was able to briefly reconnect to its mothership in a tense international duel playing out online that could have a dramatic effect on the amount of junkmail flowing into inboxes everywhere. The rogue network dubbed Srizbi …
"FireEye researchers decided they could no longer afford to spend the money buying the domains." ..
Surely ICANN could have simply locked registration on all the domains in the sequences for a suitable period around the time the botnet would go looking for them?
Oh wait, that wouold be ICANN acting for the good of the 'net, rather than just taking the $15 registration fee and laughing ... my mistake.
I'll get me coat, its the one with the IPSTAG in the pocket.
Spam by Network
Ah well, at least now I know which networks produce which bits of spam. It did go quiet for a while but some particular spam messages are now appearing in the reject log here again. I guess they're served by the one that got away, whereas the other crap that has yet to reappear is from the network that's still down. On the upside, the only way I know about it is by scanning through the spam filter log because that's where it all ends up.
Probably too obvious...
But can't someone upload self-destruct code to one of those random domains?
Most back door software has some provision for auto-downloading updates. If it's possible to impersonate the Zombie Master, can't someone make it delete itself?
Turn them off!
A computer can't bot if it is off!
There is almost no valid reason for **most** people to leave their computers on 24/7.
Sure there are a few torrenters, but really, how many.
Computers that are left on just chew power and provide little botvilles.
Some folk think that turning computers on and off causes premature failure. Bollocks. I have 6 or so computers which get turned on and off a couple of times a day. They are sometimes even powered up around freezing and are sometimes used at 40degC. In 20-odd years of computer ownership I've yet to have one fail in a way that could be linked back to power cycling (and only two or so failures all up).
@turn them off...
"Some folk think that turning computers on and off causes premature failure."
Yes, that would be those of us who measure MTBF for monitors, HDDs and cheap retail routers. You may not have experienced this but in the last few years I've seen all of these fail due to mechanical stress as a result of heat/cool cycles.
Obtopical: why /don't/ the researchers simply buy right domain and reprogramme the bots to ignore all further attempts to communicate? Or pop up alerts on their host PC? And if they've seen hundreds of thousands of PCs attempting to dial home, why can't they pass the IP addys on to their ISPs to get them dealt with?
@Turn them off!
Yes, turning off machines will save energy and all that, but how about just PATCHING them, installing competent AV software on your Windows boxes, using basic security measures like firewalls, and last but not least, if your machine does infected CLEAN it, format n' reinstall, whatever you need to do to NOT be Typhoid Mary of the net! It's amazing to me how many people will actually ignore an active infection (warnings from AV software be damned!) if it isn't impinging on them! I hope these people practice safer sex than their computing habits...
If they know the domans
If they know the domans why dont they just whois the domain when the bot guys register it and then publicly release the information on who these guys are. I bet a lot of people who hate getting spam will be on the look out for them.
And if they use fake information registering then just report to icann that the doman is registered fake and have them remove it.
The simplest solution is to enforce authentication to the submission port for consumer ISPs. If port 25 is blocked and your client needs to authenticate to 587 to submit mail, most of the problem with bots magically goes away. Of course, it doesn't help for machines that are compromised by viruses that affect the mail client, but those are comparatively rare.
@turn them off...
I've had several PSU failures where the reservoir capacitors have cooked themselves to the point where they're capable of running the system but not starting it due to the switch-on surge. Also, if you've got a hard disk where the bearings are starting to go, letting the drive spin down and cool down may be enough to guarantee that the drive won't come back up again. Plus one where, on switch-on, a small tantalum capacitor on the board went bang.
Repeated cycling might not in itself cause the failures, but many failures do occur at the moment of power-on.
I leave some of my machines on 24/7 because I run my own mailserver and web server from home, plus I connect back at all sorts of times to use facilities on the machines.
I like the idea posted above about making the botnet self destruct and remove itself via an "auto-update".
Surely ICANN in situations like this is obliged to lockout registration of these domains, however if they let the domains be registered and populated with records they then instantly know where the servers are and can get the hardware shut down and carted off by the authorities. Opens up a small window of spam time but surely it's better to keep grabbing the kit and possibly getting the men behind it rather than constantly blocking the spam attempts.
Maybe ISP's should be made to have a hand in fighting this, by default bar outgoing SMTP and have a request system to have it allowed, i'm sure one uk isp already does this. For anyone setting up a home mailserver to have to fill in a webform to request outbound smtp isn;t going to be rocket science, and the small inconvenience far far outwieghts the potential benefits.
I wonder if we'll ever see a stage where ISP's begin to implement some sort of NAC type environment where your not allowed onto the net unless at least your AV is up to date....hmm now there's an idea. that could have a similar system to the above whereby you can opt out if you really really want to, but it's a specific request, and who knows, potentially chargable?
Can we have some nice graphs of the spam levels going down and back up with these various events.
Excellent work from the good guys here.
Great to know that concerted effort can destroy these networks and have a huge effect on the internet.
Maybe soon email will be back to being a useful tool rather than an incoming shit-pipe that you have to filter through for scraps of actual info.
Sure ICANN should have made the domains unavailable for registration, but I suspect they are a battalion of shiny arsed desk jockeys, similar to our own Nominet Quango keenly focused on their daily churn such as 'how to look important carrying a sheet of A4 paper'
There's a war being fought that - at the technical level is a gripping forensic battle and a hint at how future Net wars could be fought - and you guys are moaning about capacitors?
@Markmac - @turn them off... -
>> Yes, that would be those of us who measure MTBF for monitors,
>> HDDs and cheap retail routers.
MTBF is measured in hours on – so if the period off is a greater percentage than the reduction in MTBF for the power cycles you gain life by turning it off.
The only research I have been able to track down on subject suggested break even point was 8 – 12 hours a day
Of course since you say you measure this sort of thing – you can point out some better evidence on the web covering life expectancy and powered on/off duty cycles
>> You may not have experienced this but in the last few years I've seen all of these
>> fail due to mechanical stress as a result of heat/cool cycles.
Helped someone sort out PC when they believed it was heat/cycle issues – heat was right, the HDD had been cooked by in-adequate ventilation and the case vents were clogged with dust through leaving it on 24/7.
Similarly I have found cheap PSUs working at close to maximum spec – as typically found in routers and set top boxes – die whether on 24/7 or not – replaced with a quality PSU/one working under spec – they go on for ever – conclusion they aren't correctly spec'd to for the expected duty cycle loads (i.e. they can deliver the load for the short periods or deliver a lower load for long periods). And strangely usually the warranty replacement PSU plug/block is very different from the original one
@druck: here's a graph, courtesy of SpamCop.
Note the big drop around week 45...
I'm sure there are graphs for this sort of thing - they can be found via this page - http://www.spamcop.net/spamstats.shtml
now if I could I would "dove" these bots as in not have them self-distruct rather pump out software to let you clean you machine out before removing themselves but not before a nice big DDOS of the original owner...
@ Paul Stephenson: Self-destruct
"I wonder if we'll ever see a stage where ISP's begin to implement some sort of NAC type environment where your (sic) not allowed onto the net unless at least your AV is up to date....hmm now there's an idea."
There's an idea which, depending on the way it's implemented, could be a big selling point for Linux or have Microsoft laughing all the way to the bank.
@AC @ Paul Stephenson: Self-destruct
Maybe, maybe not. The NAC client is built into XP SP3/Vista, so no cost there, and you wouldn't need many Windows boxes to handle the NAP server side even for a big ISP as the load will be pretty low. I'm not sure if there are any linux nap servers out there but I would have thought there'd be something.
Maybe the ISP could try to hack and infect the client PC, if it fails then allow it to connect. Wow, I just found a use for Phorm - just have to reverse the NAK test.
@ Paul Stephenson (@AC)
And how do you define an up-to-date AV?
re: @Turn them off!
Because, unlike Linux, MS Windows is not supposed to be a geek-only OS. Windows is SUPPOSED to be maintenance free because Jenny Housecoat isn't a computer whizz.
Or is the old saw about Linux being only suitable for geeks and completely wrong for Aunt Tillie and Granny Smith a load of shite?
How you would traditionally define an up to date av, where the program itself starts to whine about being out of date.. I would say def's not on the latest revision personally but that may be a bit too frequent for some, so say 2 to 3 days and in the event of a zero day outbreak then the nac policy could be put into *alert* mode and only allow people online that where bang up to date. it would be simple enough to redirect users to a page with the reason why and it would only be a short wait till you got full net access. i think something that detailed why they had the short wait v's the risk most people would be happy with.
@ Paul Stephenson
To require up to date AV would require:
- An authoritative list of permitted OS
- An authoritative list of permitted AV
- A definition of "up to date"
This would just play into the hands of established vendors. Otherwise I just create some FakeAV product which only needs defs once per year to satisfy the requirements.
- Review Xperia Z3: Crikey, Sony – ANOTHER flagship phondleslab?
- Pics Whisper tracks its users. So we tracked down its LA office. This is what happened next
- Human spacecraft dodge COMET CHUNKS pelting off Mars
- Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
- Downrange Are you a gun owner? Let us in OR ELSE, say Blighty's top cops