Network Security & Hardware: The Rise and Fall of the Srizbi Botnet

The first reports of the botnet surfaced in 2007. Srizbi spread through a Trojan deployed by various malware toolkits, most notably MPack. The botnet would spam out messages containing malicious links that would lead to the malware kit. MPack was also known to spread via compromised Websites.

Pictured here is called Reactor Mailer, a Python-based program used to coordinate the spam blasted out by individual bots. Access to the program was sold by Elphisoft as a software-as-a-service offering. The program has reportedly existed since 2004.

According to Cisco, at its height, Srizbi could send out more than 100 billion spam messages a day. One of the most well-known spam campaigns tied to Srizbi is the so-called "Ron Paul Incident," where the botnet blasted out e-mails promoting a run for president by the Texas congressman.

After a combination of investigative reporting by the Washington Post and the efforts of the security community, notorious Web hosting firm McColo is shut down. Spam plummets. Srizbi, as the diagram shows, starts to make a small comeback, but is stopped dead in its tracks courtesy of an update to Microsoft's Malicious Software Removal Tool (MSRT).

Even though the botnet is on its deathbed, the minds behind it are reportedly still hard at work trying to infect new victims. According to Cisco, the minds behind it are now in control of the Xarvester botnet, which controls about 100,000 hosts. Though considered two separate botnets, they share common nodes, and the Reactor Mailer front end is common to both.