This post will dive into the algorithm by which Srizbi decides which domain name to contact on a given day
Tag Archives: Srizbi
100,000+ Srizbi IPs detected in 24 hours, Part 1
The shutdown of the McColo Corporation left hundreds of thousands of Bots without a Command and Control server to which to connect. The research team here at HQ decided to look into the fallback mechanism that one of the top Botnets, Srizbi, employed. We assumed that there was a contingency plan that was enacted once the primacy C&C was down for an extended period of time. It appears we were correct in this assumption, but we were shocked, to say the very least, at the implementation. This is part 1 of an N part series about Botnet fallback channels.
Srizbi actively stealing data
Srizbi and the similar top Botnets are currently mainly used to send spam. It is very infrequent that we see these Bots doing anything *but* spamming. It’s happening now, we have recently seen Srizbi going beyond just regular spam and getting involved into information stealing.
Srizbi and Rustock: Family Feud or Sibling Rivalry? Part II
FireEye recently dove into the world of spam email Botnets to further strengthen our belief that Botnets like Srizbi, Pushdo, and Rustock, although having completely different C&C architectures, are operated by same group.
This go around, we looked at the servers that control these Botnets and spam created from live Bots in our lab. As part of this investigation, we analyzed multiple malware samples of these Botnets in our both virtual and real lab environments to extract the relevant C&C locations. When we compared the C&C IPs being used by these three Botnets, we were surprised to see that all three were using servers in the same colocation facility, and that this facility was fairly well known (by a quick Google search) to have been used for malicious activities in the past.
