Computerworld recently reported on the shut down and subsequent resurrection of the Srizbi botnet. When the ISP hosting the Srizbi command and control (C&C) servers was taken offline, spam levels for the entire Internet dropped by 41%. The welcome reduction in junk mail was short-lived, however, when hackers regained control of infected machines yesterday. After such a successful botnet take-down, how did authorities allow this to happen? Also, what did the hackers do wrong that allowed their botnet to be shut down for so long?

To understand why Srizbi came back online, we first need to examine how its command and control fallback mechanism works. If Srizbi bots are unable to communicate with their C&C server, they try to connect to a number of hostnames. These hostnames are generated by an internal algorithm in each bot. After authorities reverse-engineered the malware, they registered all of the possible hostnames that the malware could use to receive new commands. As time progressed, the number of hostnames that they needed to register became too expensive. Hackers regained control when they were able to register one of the fallback hostnames.

The revival of the Srizbi botnet can be blamed entirely on lack of cooperation between security experts and domain registrars. Authorities should not have to pay for registering domain names to shut down a bot net. The ideal solution would have been for registrars to prevent new domains from being registered that matched the generation algorithm. The size of the set of possible hostnames generated by Srizbi bots is unclear. But, if it only represents a tiny portion of all hostnames, it may be worth blocking them to reduce Internet spam by 41%. In the future, registrars should have security teams that can respond quickly to threats and help us win the battle against botnets.

Another interesting security issue is where the hackers went wrong in allowing their botnet to be shut down for several days. The problem, of course, is that their fallback mechanism involved checking only a small number of domains. First, the smaller the number of fallback connection attempts, the longer it will take for bots to get back in touch with a C&C server (assuming that authorities have fixed resources to register domains). However, if registrars would have blocked all possible botnet C&C domain registrations, then the number of connections would not matter. A better fallback mechanism would have been to directly connect to a set of IP addresses. There are about 4 billion IP addresses, so connecting to all of them would take a really long time. Instead, bots could be installed with a fallback algorithm that tries connecting to a reasonable subset of IP addresses, such as a few hundred thousand, that are spread out across the entire IP space. Unlike domain names, IP addresses are statically assigned to internet service providers. Shutting down 200,000 IP addresses, many of which have legitimate servers, would just not be possible. This scheme would allow hackers to regain control of the botnet by acquiring only one of a few hundred thousand IP addresses. Is there anything that could be done to prevent this type of C&C fallback? Not really. The only way to truly shut down botnets is to clean up the end hosts.

This entry was posted on Thursday, November 27th, 2008 at 1:13 pm and is filed under Malware. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.