Here is a report on how FireEye is fighting the Srizbi Botnet, which as of 13 July 2008, was believed to be responsible for roughly 40% of all the spam on the net.

The way Srizbi works: a client side Trojan gets instructions from a control server to send spam. If the control server goes down (it’s a spam server and hence someone will bring it down sooner or later), the Botnet resurrects itself by computing the address of new domains. Folks who maintain Srizbi would ensure that the new domains are quickly registered, which would take over as controllers.

Srizbi was recently fought by

1. pulling down existing domains that work as controllers
2. buying new domains that the Trojans would seek

This approach isn’t feasible as there is a cost involved in buying domains. What would be a better approach? Since in this case, FireEye has significant information about clients infected with Srizbi, I was wondering if making such information public would be useful. Of course this might make these machines more vulnerable once such information is out. Hence, would it make sense to share this information only to organizations that are in the business of anti-virus, malware detection, etc, so that they could do a much better job? For e.g., there doesn’t seem to exist, a central repository for information such as virus dictionaries, etc. Of course it might be against the business model of the organizations, but I really can imagine a lot of obvious ways by which this approach could be very rewarding.

This entry was posted on Monday, December 1st, 2008 at 3:30 am and is filed under Security Blog Beat. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.