One of the most harmful types of malware around of late, and one which is extremely difficult to rout out is the Botnet. A Botnet is a specialized type of computer worm, which upon infecting a computer communicates with an upstream command-and-control network controlled by its creators, who then command it to use the infected computer to send spam (on behalf of clients who pay the malware writers well), also infecting other computers in the process. The one drawback of a botnet is that taking the C&C center offline will also shut down the whole network… unless it can come back that is.

One of the largest botnets around, the, did just that late Tuesday, according to FireEye security, when the infected PCs were able to re-establish contact with the previously downed C&C servers, now back up in Estonia.

Srizbi was thought done for more than two weeks ago when its hosting company McColo Corp., had its plug pulled by its own internet service provider after being accused of abetting a large number of illicit activities. With it down, infected computers were not receiving any instructions and spam levels dropped sensibly.

Unfortunately their fallback strategy worked. With the original domains down, the child computers used an internal algorithm to generate new domains to connect to. FireEye anticipated this and predicted, then preemptively registered the domains so that Srizbi’s owners could not. However the company could not keep doing that indefinitely and the spammers finally caught up.

"We have registered a couple hundred domains," Gong said, "but we made the decision that we cannot afford to spend so much money to keep registering so many [domain] names."

The spammers seized the chance and registered the next five domains in the cycle, and re-established the command-and-control servers; this got the botnet back up and running.

"Once each bot was updated, the next command was to send spam," said Fengmin Gong, CSCO at FireEye. He noted that the first spam campaign targeted Russian speakers.

The company has identified the address of the new C&C but has been so far unsuccessful in getting their new ISPs to take them down off the web