If you thought you noticed a sharp drop in spam recently, you weren’t mistaken. When hosting service McColo was shut down, some big spam botnets found themselves without a home. But it’s set to creep back up again as the Srizbi botnet has found a new home.
The Washington Post, whose investigation helped take down McColo, says part of the Trojan that’s infected the slave computers in the Srizbi botnet includes a formula that will generate a random but unique URL in the event of a network shutdown, so they can check for updates.
And now that’s beginning to happen, according to security company FireEye. In a blog post the company wrote:
“Srizbi has returned from the dead and has begun updating all its Bots with a fresh, new binary. The worldwide update began just a few hours ago. The new Command and Control servers are located in Estonia, and the domains registered through a registrar in Russia.…In the coming days, many journalists and researchers will ask themselves: "How is it possible that the largest Botnet in the world was allowed to update itself, when a security firm had near complete control over it?" This is an interesting angle that we’ll be exploring once all the technical facts are out on the table.”