Researchers at the firm have discovered that Srizbi has begun updating all of its bots via its new command servers located in Estonia. New domains linked to the botnet have been found as well, with registrations located in Russia.
Here’s an excerpt from FireEye’s report:
As has been publicized, Srizbi had a mechanism to dynamically generate the C&C to which it would communicate based on a seed (magic number) in the binary, and a variation of the Julian date of the infected host. Our next post will go into the technical details of this algorithm. This dynamic DNS generation mechanism was the main reason why they were able to regain control, even though the primary IP, hosted at McColo, was and is still not routable. As soon as we stopped registering domain names, the Botnet owner swooped in and began registering domains, as he was able to predict which would be in use today.
As of now, the spam being sent by the revived Botnet is only targeting Russian addresses, but expect Srizbi to begin reaching out to the rest of the world in short order.
Source: http://www.allspammedup.com/2008/11/spam-levels-likely-to-rise-as-srizbi-botnet-comes-back-to-life/