[ISN] Orphaned Bots Not Necessarily Free Or Clean

From: InfoSec News <alerts_at_private>
Date: Fri, 21 Nov 2008 02:21:30 -0600 (CST)

By Kelly Jackson Higgins
Nov 20, 2008

It has been a week since a half-million bot-infected machines were 
suddenly freed from their "master" botnet servers after ISPs pulled the 
plug on the illicit McColo hosting service. So now what happens to those 
orphaned bot machines?

Researchers have spotted these errant bots over the past week attempting 
to phone home to their former command and control (C&C) servers. While 
the industry continues to celebrate a nearly 70 percent nosedive (albeit 
temporary) in spam volume without McColo to host the world's biggest 
spamming botnets anymore, these orphaned bots are still at risk -- and 
possibly still spewing spam, security experts say.

"They are probably already infected with multiple things. You hardly 
ever find just one bot on these computers," says Joe Stewart, director 
of malware research for SecureWorks. "You may find three or four 
different spam bots on the same machine. And who knows what else -- 
password stealers and other rogue ware."

Many of these bots -- which were members of the world's most prolific 
spam botnets, Srizbi, Mega-D, and Rustock "--are likely still spamming 
away for other botnets, or even possibly other servers on the big three 
that weren't hosted on McColo, security experts say.


Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
Received on Fri Nov 21 2008 - 00:21:30 PST

This archive was generated by hypermail 2.2.0 : Fri Nov 21 2008 - 00:31:57 PST