Security vendors are warning that the zombie computers used to send spam are coming back to life.
The experts say spammers are reconnecting with hacked PCs used for sending spam as evidenced by a rising number of spam messages circulating on the Internet in the last few days.
Spam levels suddenly dropped two weeks ago after the shutdown of McColo, a rogue ISP (Internet Service Provider) based in San Jose, California, whose connectivity was used to control networks of hundreds of thousands of computers to send spam, known as botnets.
Computers that are part of the Srizbi botnet - which by some estimates sent nearly half of the world's spam - are apparently becoming active again, according to researchers from FireEye.
"Srizbi has returned from the dead and has begun updating all its bots with a fresh, new binary," according to a blog post on Tuesday by Atif Mushtaq and Alex Lanstein of FireEye. "The worldwide update began just a few hours ago."
Srizbi's computers were controlled by spammers through McColo's network. When McColo was shut down, those computers tried to call back and get new instructions to send spam. But the botnet operators are clever and created a way to get those machines back if they were stranded.
FireEye researchers essentially did an autopsy on Srizbi's code. They found that the hackers put in an algorithm that dynamically generates a domain name from which a compromised computer could fetch new instructions.
The hackers could then register that domain name and put instructions there to tell the compromised PC to go to a different command-and-control server - not McColo's - for new instructions.
Since FireEye figured out how the algorithm worked, the company registered the gibberish domain names, such as "auaopagr.com," that the algorithm generated. When those machines reported for duty, there were no instructions. But FireEye couldn't keep pre-empting the spammers forever by buying domain names.
Now the compromised computers are connecting to domain names registered by the spammers and getting updated code, including templates for new spam campaigns. The new command-and-control servers are in Estonia and the domain names are being bought from a registrar in Russia, FireEye said.
Srizbi at one time amounted to more than 450,000 PCs, and it remains to be seen how many of those machines have updated code. But three other botnets that were controlled via McColo - Rustock, Cutwail and Asprox - all appear to also be coming back online.
Dmitry Samosseiko of computer security vendor Sophos wrote on Wednesday that spam levels suddenly surged earlier this week, due in part to the resurgence of the Rustock botnet.