[ISN] Srizbi botnet flounders after McColo shutdown
InfoSec News
alerts at infosecnews.org
Wed Nov 19 01:12:19 CST 2008
http://www.techworld.com/security/news/index.cfm?newsID=107278
By John E. Dunn
Techworld
18 November 2008
Large numbers of infected computers have been searching in vain for the
Srizbi botnet disrupted by the disconnection of ISP McColo a week ago, a
security vendor has found.
According to FireEye Security, the company has detected a total of
450,000 compromised IP addresses have been trying to connect to
Sribzi-controlled command and control computers that would have been
hosted by McColo until it disappeared.
The company identifies Srizbi by monitoring computers that attempt to
connect to IP addresses 75.127.68.122 or 64.22.92.154 from November 12
onwards, and recommends that admins check firewall logs to trace http
traffic opening ports to these locations.
The majority of infected PCs will likely be poorly-protected consumer
PCs, but in principle an IP connection attempts can come from any PC,
servers included. If infected PCs are located on a network, the company
cautions that cleaning a system might not be straightforward.
[...]
More information about the ISN
mailing list