Couldn't the registrars run that algorithm ahead of time and ban (or track down) new registrations for those domains?
They did, but there was only so much budget they were alotted.
Read this:
http://blog.fireeye.com/research/2008/11/fallback-cc-channels-part-deux.html
Actually pretty much everything on that blog is worth reading to get a much better idea of what kind of research is going on regarding not just Srizbi but several other botnets
They also stated that they were indeed in a position to send the "uninstall" command to the entire swath of the botnet they knew were trying to phone home. They didn't, probably for the very reasons being argued above.
I'm on the side of anyone who is in a position to stop these infections quickly.
And here's another example I'd like to put out there, as an example of the whole "moral high ground" argument:
There are hundreds of infected Unix servers out there. Hundreds if not thousands. They've been infected by the group behind a very large illegal pharmacy spam operation. They take over these servers and use them for everything from web hosting, to DNS, to image hosting, etc. I have been attempting to contact the owners of most of these infected servers for the better part of two years now. They're mostly abandoned. Nobody responds. The servers are mostly hobbyist Unix setups which originally were not even meant to be used as web servers (several are firewall setups, others are PBX installations.)
I know how these hackers are getting in, and I know how to remove the infection reliably, but I cannot stop the box from being infected again, and I can't seem to get the attention of a single one of the owners or operators of these hijacked, infected servers.
What would you do?
I do think the days of these botnets continuing to operate with impugnity MUST be coming to a close. It's very interesting seeing all the media coverage of this (even though it's largely just the geek media.)
SiL / IKS / concerned citizen
