[ISN] Srizbi botnet flounders after McColo shutdown

From: InfoSec News <alerts_at_private>
Date: Wed, 19 Nov 2008 01:12:19 -0600 (CST)
http://www.techworld.com/security/news/index.cfm?newsID=107278

By John E. Dunn
Techworld
18 November 2008

Large numbers of infected computers have been searching in vain for the 
Srizbi botnet disrupted by the disconnection of ISP McColo a week ago, a 
security vendor has found.

According to FireEye Security, the company has detected a total of 
450,000 compromised IP addresses have been trying to connect to 
Sribzi-controlled command and control computers that would have been 
hosted by McColo until it disappeared.

The company identifies Srizbi by monitoring computers that attempt to 
connect to IP addresses 75.127.68.122 or 64.22.92.154 from November 12 
onwards, and recommends that admins check firewall logs to trace http 
traffic opening ports to these locations.

The majority of infected PCs will likely be poorly-protected consumer 
PCs, but in principle an IP connection attempts can come from any PC, 
servers included. If infected PCs are located on a network, the company 
cautions that cleaning a system might not be straightforward.

[...]


______________________________________________      
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org 
Received on Tue Nov 18 2008 - 23:12:19 PST

This archive was generated by hypermail 2.2.0 : Tue Nov 18 2008 - 23:20:43 PST