The Srizbi botnet. Spam malware info for computer geeks only

[CoolBreeze]

The Srizbi botnet, also known by its aliases of Cbeplay and Exchanger, is the world's largest or second-largest botnet depending on expert reports, and is responsible for sending out more than half of all the spam being sent by all the major botnets combined.[The botnets consist of computers infected by the Srizbi trojan, which sends spam on command. The botnet suffered a significant setback in November 2008 when hosting provider McColo was taken down; global spam volumes reduced by up to 75% as a result of this action.

The size of the Srizbi botnet is estimated to be around 450,000 compromised machines, with estimation differences being smaller than 5% among various sources. The botnet is reported to be capable of sending around 60 billion spam messages a day, which is more than half of the total of the approximately 100 billion spam messages sent every day. As a comparison, the highly publicized Storm botnet only manages to reach around 20% of the total amount of spam sent during its peak periods.

The Srizbi botnet is believed to be responsible for roughly 60% of all the spam on the net. Ever since its creation, Srizbi has been growing at an extremely rapid pace, making the botnet the largest generator of spam messages, less than one year into its existence. There is currently no sign of decline in the number of bots involved in the botnet.

The Srizbi botnet consists of computers which have been infected by the Srizbi trojan horse. This trojan horse is deployed onto its victim computer through the Mpack malware kit. Past editions have used the "n404 web exploit kit" malware kit to spread, but this kit's usage has been deprecated in favor of Mpack.

The distribution of these malware kits is partially achieved by utilizing the botnet itself. The botnet has been known to send out spam containing links to fake videos about celebrities, which include a link pointing to the malware kit. Similar attempts have been taken with other subjects such as illegal software sales and personal messages. Apart from this self-propagation, the MPack kit is also known for much more aggressive spreading tactics, most notably the compromise of about 10,000 websites in June 2007. These domains, which included a surprising number of pornographic websites,ended up forwarding the unsuspecting visitor to websites containing the MPack program.

Once a computer becomes infected by the trojan horse, the computer becomes known as a bot, which will then be at the command of the controller of the botnet, commonly referred to as the botnet herder. The operation of the Srizbi botnet is based upon a number of servers which control the utilization of the individual bots in the botnet. These servers are redundant copies of each other, which protects the botnet from being crippled in case a system failure or legal action takes a server down. These servers are generally placed in countries such as Russia, where law enforcement against digital crime is limited.

The server-side of the Srizbi botnet is handled by a program called "Reactor Mailer", which is a Python-based web component responsible for coordinating the spam sent out by the individual bots in the botnet. Reactor Mailer has existed since 2004, and is currently in its third release, which is also used to control the Srizbi botnet. The software allows for secure login and allows multiple accounts, which strongly suggests that access to the botnet and its spam capacity is sold to external parties (Software as a service). This is further reinforced by evidence showing that the Srizbi botnet runs multiple batches of spam at a time; blocks of IP addresses can be observed sending different types of spam at any one time. Once a user has been granted access, he or she can utilize the software to create the message they want to send, test it for its SpamAssassin score and after that send it to all the users in a list of e-mail addresses.

Suspicion has arisen that the writer of the Reactor Mailer program might be the same person responsible for the Srizbi trojan, as code analysis shows a code fingerprint that matches between the two programs. If this claim is indeed true, then this coder might well be responsible for the trojan behind another botnet, named Rustock. According to Symantec, the code used in the Srizbi trojan is very similar to the code found in the Rostock trojan, and could well be an improved version of the latter.


Srizbi trojan

The Srizbi trojan is the client side program responsible for sending the spam from infected machines. The trojan has been credited with being extremely efficient at this task, which explains why Srizbi is capable of sending such high volumes of spam without having a huge numerical advantage in the number of infected computers.

Apart from having an efficient spam engine, the trojan is also very capable in hiding itself from both the user and the system itself, including any products designed to remove the trojan from the system. The trojan itself is fully executed in kernel mode and has been noted to employ rootkit-like technologies to prevent any form of detection. By patching the NTFS file system drivers, the trojan will make its files invisible for both the operating system and any human user utilizing the system. The trojan is also capable of hiding network traffic it generates by directly attaching NDIS and TCP/IP drivers to its own process, a feature currently unique for this trojan. This procedure has been proved to allow the trojan to bypass both firewall and sniffer protection on the system.


Estonian ISP cuts off control servers for Srizbi botnet

An Estonian ISP that temporarily hosted the command-and-control servers for the Srizbi botnet, responsible for a large portion of the world's spam, has cut off those servers, according to computer security analysts.

Starline Web Services, based in Estonia's capital Tallinn, had hosted four domain names identified as the control points for Srizbi, according to researchers from computer security firm FireEye.

Hundreds of thousands of PCs around the world infected with Srizbi, a difficult-to-remove rootkit that is used for sending spam, were programmed to seek new instructions from servers in those domains.

Srizbi is considered one of the more powerful botnets, with at least 450,000 PCs infected. It is estimated that half of the world's spam originated from computers infected with Srizbi. Spam remains a profitable business for cybercriminals.

But spammers lost control of Srizbi when the ISP that previously hosted its command-and-control servers was cut off from the Internet. McColo, whose servers are based in San Jose, California, was cut off by its upstream providers earlier this month after being exposed by computer security experts and the Washington Post.

That left spammers unable to control Srizbi-infected computers. But Srizbi's code contained a fallback mechanism where spammers could reconnect with the stranded machines if such a scenario occurred.

An algorithm within Srizbi would periodically generate new domain names where the malware would look for new instructions if those domains were live on the Internet. Armed with that same algorithm, the spammers had only to register the appropriate domain names and point them to their servers.

The spammers, however, needed a new ISP to host those servers, at least for a while. They found Starline Web Services, a very small ISP, but that provider has since also cut them off.

"I was satisfied that those sites were closed down," said Hillar Aarelaid, chief security officer for Estonia's Computer Emergency Response Team (CERT), on Thursday.

Attempts to contact Starline Web Services were unsuccessful. But Aarelaid said CERT has been in contact with the company, and it does appear to be responsive to complaints about abuse.

Starline Web Services buys its connectivity from Compic, another Estonian company. Compic has been flagged by Estonia's CERT as having Web sites hosting malicious software, said Tarmo Randel, an information security expert at the organization.

Randel said CERT has "constantly" notified Compic about malware they've hosted. Compic will take action to remove the sites depending "on how loud we scream," Randel said. Compic usually reacts fast when CERT sends a complaint e-mail -- and copies the Estonian Criminal Police, Randel said.

On Thursday, Compic's upstream provider, Linxtelecom, sent an e-mail to the Estonian ISP community that said they are planning to cut off Compic, Randal said.

Linxtelecom sells IP transit services that connect local ISPs and telecommunications operators with larger data carriers. Linxtelecom said in the e-mail that 99 percent of the complaints that it receives over abuse are related to Compic, Randel said.

A Linxtelecom official said he did not know about the e-mail. Compic does respond to complaints within two days or so, but Linxtelecom in the past cut off connectivity to Web sites hosted by Compic after complaints, the official said.

Computer security experts say there are a handful of ISPs and domain name registrars that work closely with cybercriminals to support spam operations, Web sites that sell fake software and other scams.

The operations are difficult to stop due to their international nature, the speed with which cybercriminals react to shutdowns and the lack of law enforcement resources or interest.

McColo's shutdown came after research was published which showed the extent to which the company was involved in the criminal underground.

Similarly, another noted bad ISP -- known as Atrivo or Intercage -- was cut off by its upstream providers in September as a result of mounting pressure from the computer security community.

"With the recent cases of McColo and Atrivo/Intercage taken off the Internet, it will be easier in the future to put more pressure on other known hosters of badware to take action or go offline," said Toralv Dirro, security strategist for McAfee's Avert Labs, on Thurday.



Massive botnet returns from the dead, starts spamming

Criminals regain control after security firm stops preemptively registering routing domains
November 26, 2008 (Computerworld) A big spam-spewing botnet shut down two weeks ago has been resurrected, security researchers said today, and is again under the control of criminals.

The "Srizbi" botnet returned from the dead late Tuesday, said Fengmin Gong, chief security content officer at FireEye Inc., when the infected PCs were able to successfully reconnect with new command-and-control servers, which are now based in Estonia.

Srizbi was knocked out more than two weeks ago when McColo Corp., a hosting company that had been accused of harboring a wide range of criminal activities, was yanked off the Internet by its upstream service providers. With McColo down, PCs infected with Srizbi and other bot

Trojan horses were unable to communicate with their command servers, which had been hosted by McColo. As a result, spam levels dropped precipitously.

But as other researchers noted last week, Srizbi had a fallback strategy. In the end, that strategy paid off for the criminals who control the botnet.

According to Gong, when Srizbi bots were unable to connect with the command-and-control servers hosted by McColo, they tried to connect with new servers via domains that were generated on the fly by an internal algorithm. FireEye reverse-engineered Srizbi, rooted out that algorithm and used it to predict, then preemptively register, several hundred of the possible routing domains.

The domain names, said Gong, were generated on a three-day cycle, and for a while, FireEye was able to keep up -- and effectively block Srizbi's handlers from regaining control.

"We have registered a couple hundred domains," Gong said, "but we made the decision that we cannot afford to spend so much money to keep registering so many [domain] names."

Once FireEye stopped preempting Srizbi's makers, the latter swooped in and registered the five domains in the next cycle. Those domains, in turn, pointed Srizbi bots to the new command-and-control servers, which then immediately updated the infected machines to a new version of the malware.

"Once each bot was updated, the next command was to send spam," said Gong, who noted that the first campaign used a template targeting Russian speakers.

The updated Srizbi includes hard-coded references to the Estonian command-and-control servers, but Gong was unaware of any current attempt to convince the firm now hosting those servers to yank them off the Web.

In the meantime, FireEye is working with several other companies -- including VeriSign Inc., Microsoft Corp. and Network Solutions Inc., a domain registrar -- on ways to reach the more than 100,000 users whose PCs FireEye has identified as infected with Srizbi.

Discussions about how to best handle any future McColo-Srizbi situation are also ongoing, Gong said. "We're trying to find a solution, and talking about ideas of how they can help fund efforts for some period of time to [preemptively] register domains," he said.

Right now, though, we have this window of opportunity to help clean all those [100,000] machines," Gong said. "Registering those domains was just a way to buy us time. We have to reach those machines to clean them up."

Although some message security companies said yesterday that spam volumes had climbed back from post-McColo troughs, Gong was hesitant to finger Srizbi's return as the reason. "Srizbi may have contributed," he said, "but Rustock is also back."

Rustock, another botnet whose command-and-control servers were hosted by McColo, was partially restored when a Swedish Internet provider briefly stepped in 11 days ago to reconnect McColo to the Web.

Even though McColo's connection was quickly severed by TeliaSonera after it received complaints, Rustock's controllers had enough time to instruct some of the bots to look to a Russian-hosted server for commands.



The Srizbi botnet has been the basis for several incidents which have received media coverage in the regular media. Several of the most notable ones will be described below here. This is by no means a complete list of incidents, but just a list of the major ones.


The "Ron Paul" incident

In October 2007, several anti-spam firms noticed an unusual spam campaign emerging. Unlike the usual messages about counterfeit watches, stocks, or penis enlargement, the mail contained promotional information about United States presidential candidate Ron Paul. The Ron Paul camp dismissed the spam as being not related to the official presidential campaign. A spokesman told the press: "If it is true, it could be done by a well-intentioned yet misguided supporter or someone with bad intentions trying to embarrass the campaign. Either way, this is independent work, and we have no connection."

The spam was ultimately confirmed as having come from the Srizbi network. Through the capture of one of the control servers involved, investigators learned that the spam message had been sent to up to 160 million e-mail addresses by as few as 3,000 bot computers. The spammer has only been identified by his Internet handle "nenastnyj"; his or her real identity has not been determined.


Malicious spam tripling volumes in a week

In the week from 20 June 2008 Srizbi managed to triple the amount of malicious spam send from an average 3% to 9.9%, largely due to its own effort. This particular spam wave was an aggressive attempt to increase the size of the Srizbi botnet by sending e-mails to users which warned them that they had been videotaped naked. Sending this message, which is a kind of spam referred to as "Stupid Theme", was an attempt to get people to click the malicious link included in the mail, before realizing that this message was most likely spam. While old, this social engineering technique remains a proven method of infection for spammers.

The size of this operation shows that the power and monetary income from a botnet is closely based upon its spam capacity: more infected computers translate directly into greater revenue for the botnet controller. It also shows the power botnets have to increase their own size, mainly by using a part of their own strength in numbers.