Srizbi Spam Botnet goes offline again!
On November 26, 2008, I wrote an article concerning the "Srizbi" Botnet coming back to life, following the shutdown of its Command-and-Control servers (C&C) at McColo, Inc. This happened because the Russian criminals running the Srizbi Botnet, thought to number over 450,000 PCs, were able to lease servers from a web hosting firm in Estonia, to which they uploaded the C&C software. Once these servers came online the zombie computers making up the Botnet army were able to contact the servers and receive new instructions and spam templates. This resulted in a 10% increase in the volume of spam I saw last week, over the previous week (following the C&C servers at McColo being shut down).
Well, starting on Sunday night, November 30, 2008, I noticed another sudden decline in the amount of spam that was detected, classified and deleted by my spam filtering program, MailWasher Pro. This decline continues today, Monday, December 1, 2008. There is virtually no significant amount of spam arriving in any of my accounts. Being curious I did a little investigating and learned that the people running the Estonian ISP Starline Web Services, that temporarily hosted the Command-and-Control servers for the Srizbi botnet, has cut off those servers. This followed complaints from Estonia's Computer Emergency Response Team (CERT) and threats of total disconnection by the companies who supply the Internet IP connections to that ISP, and others in Estonia.
Note, that the ISP that was temporarily hosting the Srizbi C&C machines gets their IP addresses and Internet connectivity from a hosting company named Compic, which is known to CERT as a company that has been friendly to criminals who host malware on their websites. Many complaints have been filed with Compic concerning illegal activities by their customers, conducted on their servers and those of their downstream resellers. Reference.
Most of my readers are more concerned about repelling spam, than tracing it. I have written many articles offering filtering solutions involving MailWasher Pro, as well as website email filters that can be applied by people whose websites are hosted on cPanel control panels and Linux/Apache based servers. Just look in my recent posts links, in the right sidebar, or search this blog for the keywords "spam filters." But I seem to have overlooked one area of this spam-demic that deserves mentioning now. That area is your own computers and what unknown spam applications and scripts may be running on them.
The question every computer owner should be asking themselves, or their IT personnel, is: "Am I Botted?" What I mean by this is that every computer owner needs to scan for the presence of Bot infections on their PCs. Any operating system can become invaded by a Bot infection, either as an invisible rootkit or a visible process. Each OS will have tools available to its administrators to test for the presence of hostile applications (e.g. Snort). However, the rest of this article and the recommendations in it are meant for Windows based computer owners.
If you are using a Windows based computer you are the primary target for Botnet infectors! Hello! Accept this fact and learn to deal with it in a proactive way. Assume that "they" are out to get you, because it is a fact that a large percentage of Windows computers contain unpatched vulnerabilities that are relatively easily exploited. These vulnerabilities may have already had patches released by Microsoft, or the writers of third party software that is exploitable, but you may not have applied all of the available patches and updates. Therefore, the first thing any Windows computer owner should do is to visit Windows Updates, via Internet Explorer's menu item: Tools > Windows Update, or using the Start Menu Windows Update link. Click the Express button and let Microsoft search for all applicable security updates for your PC, then install every single one of them. Reboot as instructed, then go back to Windows Update and repeat the process, until there are no more critical or important updates listed.
All versions of Windows Vista contain a two way firewall that should block unauthorized incoming connection attempts and alert you to unauthorized outgoing connection attempts. Windows XP starting with Service Pack 2 turns on the built-in Windows Firewall, but it only protects against incoming connection attempts. Make sure that your Windows Firewall is not disabled, unless you are using a third party security application that has a two way firewall. Running a PC without a working firewall is like leaving the doors to your house open during an ongoing home invasion crime spree. A thinking person would install security door locks during such times of criminal activity. If you don't have the Windows Firewall running make sure a third party firewall is fully operational!
With a firewall in place you are protected against hostile attacks coming in "over the wires," as TCP and UDP vulnerability probes that try to connect to open "ports" on your computer. A good firewall blocks unwanted connection attempts.
Your next concern should be to make sure you are protecting your computer against downloaded malware threats. This is taken care of by anti spyware and anti virus programs that contain "resident" protection components. There are a lot of well known anti virus and anti spyware programs available from this website (see my ads) and others, or even at your local department stores selling computer software. However, having tested or receiving input from others who tested the various Internet security "suites" I can unhesitatingly recommend Trend Micro Internet Security to you. Formerly known as PC-cillin, this security suite detects, removes and protects against viruses, spyware, keyloggers, rootkits, Trojans, Bots and hostile codes on compromised web pages. The 2009 version has moved the latest detection definitions and databases to secure servers owned by Trend Micro. They call this "in-the-cloud security." This reduces the load it places on your computer by keeping a smaller definitions database on your PC and then reaching out to the Cloud servers to see if a file or web page is in their constantly updated list of known infections or hostile pages.
Trend Micro Internet Security is a commercial application, as well it should be. The company employs lots of real people in several countries, with families to feed, and they work day and night to detect and analyze new threats to your security and rush out definition updates to the Cloud. But, you can try the program for free for a month! Hopefully, it works as good for you as it does for me and most of my friends.
If you can't afford to pay for security protection for your computer, there is a free downloadable application offered by Trend Micro, called RUBotted. It runs on Windows 2000 and newer computers, in your System Tray area (by the clock). RUBotted is a simple program whose only job is to look for evidence of a possible Bot infection running on the PC on which it is installed. It will flash and alert you if such and infection is detected, or suspected. You will be given the option of visiting the free Trend Micro "HouseCall" malware scanner service, which can not only detect, but also remove most malware it finds. If it can't remove the malware you will be given the option to download a trial version of Trend Micro Internet Security, which will get the job done!
By applying suitable computer security applications you can prevent your computers from inadvertently becoming members of the Srizbi, or other Botnet. The computers in these Botnets are senders of most of the World's spam. They also host most of the landing pages for fake pharmacies (like the fake Canadian Pharmacy), or host hostile executable downloads, or exploit codes, used to force other visitors to join the same Botnet. By keeping your computers free of Bot infections you are contributing to the fight against spam and scammers.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.