Estonian ISP cuts off control servers for Srizbi botnet

An Estonian ISP that temporarily hosted the control servers for a botnet responsible for a large portion of the world's spam has cut off those servers.

An Estonian ISP that temporarily hosted the command-and-control servers for the Srizbi botnet, responsible for a large portion of the world's spam, has cut off those servers, according to computer security analysts.

Starline Web Services, based in Estonia's capital Tallinn, had hosted four domain names identified as the control points for Srizbi, according to researchers from computer security firm FireEye.

Hundreds of thousands of PCs around the world infected with Srizbi, a difficult-to-remove rootkit that is used for sending spam, were programmed to seek new instructions from servers in those domains.

Srizbi is considered one of the more powerful botnets, with at least 450,000 PCs infected. It is estimated that half of the world's spam originated from computers infected with Srizbi. Spam remains a profitable business for cybercriminals.

But spammers lost control of Srizbi when the ISP that previously hosted its command-and-control servers was cut off from the Internet. McColo, whose servers are based in San Jose, California, was cut off by its upstream providers earlier this month after being exposed by computer security experts and the Washington Post.

That left spammers unable to control Srizbi-infected computers. But Srizbi's code contained a fallback mechanism where spammers could reconnect with the stranded machines if such a scenario occurred.

An algorithm within Srizbi would periodically generate new domain names where the malware would look for new instructions if those domains were live on the Internet. Armed with that same algorithm, the spammers had only to register the appropriate domain names and point them to their servers.

The spammers, however, needed a new ISP to host those servers, at least for a while. They found Starline Web Services, a very small ISP, but that provider has since also cut them off.

"I was satisfied that those sites were closed down," said Hillar Aarelaid, chief security officer for Estonia's Computer Emergency Response Team (CERT), on Thursday.

Attempts to contact Starline Web Services were unsuccessful. But Aarelaid said CERT has been in contact with the company, and it does appear to be responsive to complaints about abuse.

Starline Web Services buys its connectivity from Compic, another Estonian company. Compic has been flagged by Estonia's CERT as having Web sites hosting malicious software, said Tarmo Randel, an information security expert at the organization.

Randel said CERT has "constantly" notified Compic about malware they've hosted. Compic will take action to remove the sites depending "on how loud we scream," Randel said. Compic usually reacts fast when CERT sends a complaint e-mail -- and copies the Estonian Criminal Police, Randel said.

On Thursday, Compic's upstream provider, Linxtelecom, sent an e-mail to the Estonian ISP community that said they are planning to cut off Compic, Randal said.

Linxtelecom sells IP transit services that connect local ISPs and telecommunications operators with larger data carriers. Linxtelecom said in the e-mail that 99 percent of the complaints that it receives over abuse are related to Compic, Randel said.

A Linxtelecom official said he did not know about the e-mail. Compic does respond to complaints within two days or so, but Linxtelecom in the past cut off connectivity to Web sites hosted by Compic after complaints, the official said.

Computer security experts say there are a handful of ISPs and domain name registrars that work closely with cybercriminals to support spam operations, Web sites that sell fake software and other scams.

The operations are difficult to stop due to their international nature, the speed with which cybercriminals react to shutdowns and the lack of law enforcement resources or interest.

McColo's shutdown came after research was published which showed the extent to which the company was involved in the criminal underground.

Similarly, another noted bad ISP -- known as Atrivo or Intercage -- was cut off by its upstream providers in September as a result of mounting pressure from the computer security community.

"With the recent cases of McColo and Atrivo/Intercage taken off the Internet, it will be easier in the future to put more pressure on other known hosters of badware to take action or go offline," said Toralv Dirro, security strategist for McAfee's Avert Labs, on Thurday.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags botnets

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?