http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=212101163



By Kelly Jackson Higgins

DarkReading

Nov 20, 2008



It has been a week since a half-million bot-infected machines were 

suddenly freed from their "master" botnet servers after ISPs pulled the 

plug on the illicit McColo hosting service. So now what happens to those 

orphaned bot machines?



Researchers have spotted these errant bots over the past week attempting 

to phone home to their former command and control (C&C) servers. While 

the industry continues to celebrate a nearly 70 percent nosedive (albeit 

temporary) in spam volume without McColo to host the world's biggest 

spamming botnets anymore, these orphaned bots are still at risk -- and 

possibly still spewing spam, security experts say.



"They are probably already infected with multiple things. You hardly 

ever find just one bot on these computers," says Joe Stewart, director 

of malware research for SecureWorks. "You may find three or four 

different spam bots on the same machine. And who knows what else -- 

password stealers and other rogue ware."



Many of these bots -- which were members of the world's most prolific 

spam botnets, Srizbi, Mega-D, and Rustock "--are likely still spamming 

away for other botnets, or even possibly other servers on the big three 

that weren't hosted on McColo, security experts say.



[...]





______________________________________________      

Visit the InfoSec News Security Bookstore

Best Selling Security Books and More!

http://www.shopinfosecnews.org 



Received on Fri Nov 21 2008 - 00:21:30 PST