The way Srizbi works: a client side Trojan gets instructions from a control server to send spam. If the control server goes down (it’s a spam server and hence someone will bring it down sooner or later), the Botnet resurrects itself by computing the address of new domains. Folks who maintain Srizbi would ensure that the new domains are quickly registered, which would take over as controllers.
Srizbi was recently fought by
- pulling down existing domains that work as controllers
- buying new domains that the Trojans would seek
This approach isn’t feasible as there is a cost involved in buying domains. What would be a better approach? Since in this case, FireEye has significant information about clients infected with Srizbi, I was wondering if making such information public would be useful. Of course this might make these machines more vulnerable once such information is out. Hence, would it make sense to share this information only to organizations that are in the business of anti-virus, malware detection, etc, so that they could do a much better job? For e.g., there doesn’t seem to exist, a central repository for information such as virus dictionaries, etc. Of course it might be against the business model of the organizations, but I really can imagine a lot of obvious ways by which this approach could be very rewarding.