Spam Levels To Rise With Botnet Revival
The Srizbi botnet, comprising more than half a million PCs, was deemed responsible for approximately 40 to 50 percent of the world's spam. Up until recently, security experts believe that Srizbi was completely defunct after botnet was knocked offline two weeks ago as part of a collaborative effort within the security community.
Now that Szribi is partially revived, it is anticipated to spew out malicious content at alarming rates, experts say. According to MessageLabs, now part of Symantec, the spike in spam levels was only at 37 percent of what they were before Internet Service Provider McColo was disconnected from upstream provider Hurricane Electric, who disassociated with the provider because of its connection to some of the world's largest malicious botnets.
McColo's shut down came shortly after the release of a scathing report by a group of notable security researchers and vendors lambasting McColo for hosting numerous Web sites known to cater to child pornography and malware.
Spam levels experienced a sharp drop -- anywhere from 60 to 80 percent-- in the weeks following McColo's takedown. However experts say that spam levels are steadily returning to "normal" levels, rising to two thirds of what they were before the McColo shut down as the spammer reconnected with other providers.
Matt Sergeant, senior antispam technologist at MessageLabs, said that Srizbi's owners planned ahead in case its command and control servers were ever rendered inoperable. The malware authors partially revived the botnet when they hardcoated the IP addresses in McColo and then tried to regenerate those domains that the infected machines once visited. Those rescue domains have redirected tens of thousands of the original infected PCs to a new command and control center based in Estonia.
However, Segeant said that while the rejuvenated Srizbi has not yet managed to infect all of the original PCs once incorporated in the botnet, the ones that were refreshed will start spamming again immediately.
"The expectation is that spam volumes will return to what they were in about a week or so," said Sergeant, adding that many of the other botnet owners hosted by McColo have already found alternate providers.
"Really Srizbi was the last one. And the most powerful. [Spam] volumes were well down simply because of that," he said.
Sergeant said that the lag between the initial decline and the current rise is attributed to the time it took for the botnet owners to find a new provider and bandwidth provider.
"It was only a matter of time," said Sergeant. "There's a lot of money involved for these guys."