The shutdown of the McColo Corporation left hundreds of thousands of Bots without a Command and Control server to which to connect. The research team here at HQ decided to look into the fallback mechanism that one of the top Botnets, Srizbi, employed. We assumed that there was a contingency plan that was enacted once the primacy C&C was down for an extended period of time. It appears we were correct in this assumption, but we were shocked, to say the very least, at the implementation. This is part 1 of an N part series about Botnet fallback channels.
If I ran a Botnet, I would realize that lost communication with my Bots means lost dollars. Because of this, I would have contingency plans from A to ZZ. Srizbi has the dumbest and perhaps most immature fallback plan I could ever have imagined.
Before I go into the (simple) details, let’s think of some fallback channels that would be sophisticated and resilient against an outage.
- Fallback C&C IPs on servers you controlled
- Fallback C&C domains that you controlled
- Direct download of a new binary from a list of URLs
- A secondary protocol that looks nothing like the normal C&C communication
- A new template that contained instructions on what to do if the main C&C is down
- A secondary service unrelated to the Botnet (like Exchanger) that does the dropping/downloading of an updated Botnet binary for you
Srizbi, oddly, did none of these. Its fallback plan, should McColo every go down, was to try to communicate with a C&C from a list of 4 hard coded domains. These 4 domains appear to different for most of the samples that we observed. This normally wouldn’t have been the worst idea in the world, but this plan is generally contingent on the fact that you actually register the domains first. This is not what Srizbi did.
Let me repeat that - Srizbi has 4 hard coded .com domains in it that the author did not register before he put out the binary. This is another example of the arrogance the Bot owners are showing these days. First they were all using IPs in the same floor of the same building, and next they add fallback domains that they didn’t even register yet? As Jay Leno would say, “I love stupid criminals”.
In the coming days, FireEye will be contacting the owners of the over 100,000 infected IPs we’ve discovered thus far either by email, phone, or by a specialty channel, such as our good friends at the REN-ISAC in the case of US Higher Education institutions. Bear in mind that this number will grow, and it is likely significantly higher due to things like NAT. We will also be providing removal instructions and more technical detail about the possible data losses from Srizbi. We will not be publishing this infected IP list, but will provide it to interested media members with a standard NDA.
We will be publishing more technical details of how this occurred in Part 2, tomorrow
Alex Lanstein, Atif Mushtaq, Julia Wolf @ FireEye Malware Intelligence Labs
Comments/Questions to fgong@fireeye.com
While it’s good news that they did get shut down, one really has to wonder how they could’ve operated within the US for YEARS with that sort of activity going on inside.
Things are not quite adding up.
Global Crossing and Hurricane Electric couldn’t have possibly been unaware of this. I have a hard time believing the FBI was unaware of them either.