Could it be true? Srizbi and Rustock the two botnets to blame for the increasingly large amount of spam attacks taking place, are not rivals but are in fact are siblings! It was found that the two botnets share the same principle with regards to malware spreading.
Apparently both botnets use a type of malware, Trojan. Exchanger, that comes with illegitimate e-mails. Such e-mails intrigue users with adverts, shocking news headlines etc., seducing users to click on links that once clicked make the users computer apart of a botnet.
According to Fengmin Gong, chief security content officer for anti-botnet software firm FireEye, the first time they noticed this connection between the botnets they were truely surprised. FireEye researchers also speculated that the two botnets are run by one operator, most likely the Russian Business Network, but that theory is not conclusive at this point.
According to the FureEye research team it is pretty clear that Srizbi and Rustock are using same Internet Service Provider. In some cases they also use IPs on alike subnets to host their Command and Control servers - Command and Control servers sharing LANs is very unusual. The research team came to the conclusion that the Botnets are either operated by the same organization or McColo (the datacenter) is a shell corporation in the business of leasing out bandwidth and IP space for malevolent deeds.
The director of security research for SecureWorks, Joe Stewart stated that the Srizbi-Rustock connection is probably just a case of spammers using both zombie networks and not that the controllers of the different botnets are actually in cahoots with each other.
With Rustock bots sending out mail that basically infect PC's with Srizbi, people tend to believe that Srizbi is the one sending the main but it's not. People must understand that Srizbi is rented out to lots of different spammers, so anyone can use it to infect PC's.
Whether spammers are trying to diversify their spam operations with different botnets, trying to stay off the radar by sending malware from different botnets to confuse researchers or some sort of sharing deal has taken place between the bot herders and their spammer customers, all agree that Srizbi and Rustock are still two separate networks of bots with explicit command and control foundations.
User Comments