This month's MSRT takes on one of the largest botnets currently active worldwide – Win32/Srizbi. The Srizbi family of malware consists of trojan droppers and rootkits that often spread through spam e-mails containing download links to the malware.

Much like its alleged close cousin Win32/Rustock (which is removed by the MSRT MSRT since Oct 2008), the Srizbi family of malware was developed mainly for the purpose of spam-for-hire operations. The Srizbi malware authors offer the botnet as an efficient method of sending spam e-mails for any organization who would stoop low enough to utilize this mechanism for advertising their intent.

Win32/Srizbi first arrives as a trojan dropper, which is detected by Microsoft as any variant of TrojanDropper:Win32/Srizbi. When executed, it installs the kernel-mode rootkit component of Srizbi and is detected as Spammer:WinNT/Srizbi.

Earlier variants of Spammer:WinNT/Srizbi have names such as:
%systemdir%\drivers\symavc32.sys
%systemdir%\drivers\grande48.sys
...
Newer variants use randomly generated names, e.g. %systemdir%\drivers\qppvowsp.sys

Some variants of the trojan dropper also copy themselves into %windir%\<random>.exe and install an auto-run key in HKLM\Software\Microsoft\Windows\CurrentVersion\Run\<random> = %windir%\<random>.exe.

The trojan dropper then installs the kernel-mode rootkit as a service, which adds a service key in the registry in the form:
HKLM\SYSTEM\CurrentControlSet\Services\<rootkit_name>

The rootkit hooks low-level operating system APIs to protect its registry and file components from being seen and accessed to hide its presence and prevent disinfection. Software firewalls, which could potentially render Win32/Srizbi useless for its purpose, are bypassed by the rootkit by hooking into the TCP/IP driver of the system.

Upon activation of the rootkit, the infected computer then effectively becomes part of the Srizbi botnet as one of its bots. As a Srizbi bot, the main objective is to receive information regarding its spamming duties and perform the e-mailing task assigned to it. It accomplishes this by connecting to a hardcoded list of servers containing information such as:

  • Spam e-mail message
  • List of e-mail addresses
  • List of fake sender names
  • List of mail servers to use

Historically, Win32/Srizbi has been accused of being responsible for a huge chunk of spam e-mail messages sent in the years after its discovery. We hope to make a positive impact with the addition of Win32/Srizbi into MSRT.

--Vincent Tiu