It took approximately two weeks for the world’s biggest spammers to get back online and start updating all their bots, a recent report by FireEye revealed. This means that all the time we’ve enjoyed with less spam is over now that the Srizbi botnet – responsible for almost half of the world’s spam – went back online. SecureWorks estimated at the time that McColo - Srizbi’s web host - was responsible for 75 percent of the spam sent daily in the United States.

FireEye explained that this was possible due to a mechanism that dynamically generates the Command and Control function to which it communicates based on a seed in the binary and a variation of the Julian date of the infected host.

FireEye attempted to block Srizbi from registering domains by figuring out what domains in specific Srizbi was looking for and registering them before the spammers did. Unfortunately, that proved to be efficient for just a short period of time, when the security firm realized that their work was increasingly expensive, since each domain that they registered cost money.

“As soon as we stopped registering domain names, the Botnet owner swooped in and began registering domains, as he was able to predict which would be in use today,” FireEye’s Atif Mushtaq and Alex Lanstein reported, adding that all the domains pointed to servers in Estonia, except one which had the IP registered out of the Cayman Islands and was hosted in Germany.

This happened despite the fact that the primary ISP hosted at McColo is still not routable, the security firm said. The web hosting services firm was taken down in mid-November after being linked to suspicious activities following reports by Washington Post’s Security Fix which had been tracking McColo’s activities for months.

Just one day after McColo was taken down, spam activities dropped by almost two thirds, pointing out once more the huge role played by the company in distributing a lot of the world’s spam e-mail.

The incident occurred two months after the Intercage (Atrivo) case, when the California-based ISP was cut off by upstream providers after it proved to be a major hub for cyber crime. In that case as well, the spam traffic dropped for a short period of time, until the spammers went back in business. This is why Srizbi’s rise from the ashes should come as no surprise.

“In the coming days, many journalists and researchers will ask themselves: ‘How is it possible that the largest Botnet in the world was allowed to update itself, when a security firm had near complete control over it?’. This is an interesting angle that we’ll be exploring once all the technical facts are out on the table,” Mushtaq and Lanstein wrote on their blog.