Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
This month's MSRT takes on one of the largest botnets currently active worldwide – Win32/Srizbi. The Srizbi family of malware consists of trojan droppers and rootkits that often spread through spam e-mails containing download links to the malware.
Much like its alleged close cousin Win32/Rustock (which is removed by the MSRT MSRT since Oct 2008), the Srizbi family of malware was developed mainly for the purpose of spam-for-hire operations. The Srizbi malware authors offer the botnet as an efficient method of sending spam e-mails for any organization who would stoop low enough to utilize this mechanism for advertising their intent.
Win32/Srizbi first arrives as a trojan dropper, which is detected by Microsoft as any variant of TrojanDropper:Win32/Srizbi. When executed, it installs the kernel-mode rootkit component of Srizbi and is detected as Spammer:WinNT/Srizbi.
Earlier variants of Spammer:WinNT/Srizbi have names such as:%systemdir%\drivers\symavc32.sys%systemdir%\drivers\grande48.sys...Newer variants use randomly generated names, e.g. %systemdir%\drivers\qppvowsp.sys
Some variants of the trojan dropper also copy themselves into %windir%\<random>.exe and install an auto-run key in HKLM\Software\Microsoft\Windows\CurrentVersion\Run\<random> = %windir%\<random>.exe.
The trojan dropper then installs the kernel-mode rootkit as a service, which adds a service key in the registry in the form:HKLM\SYSTEM\CurrentControlSet\Services\<rootkit_name>
The rootkit hooks low-level operating system APIs to protect its registry and file components from being seen and accessed to hide its presence and prevent disinfection. Software firewalls, which could potentially render Win32/Srizbi useless for its purpose, are bypassed by the rootkit by hooking into the TCP/IP driver of the system.
Upon activation of the rootkit, the infected computer then effectively becomes part of the Srizbi botnet as one of its bots. As a Srizbi bot, the main objective is to receive information regarding its spamming duties and perform the e-mailing task assigned to it. It accomplishes this by connecting to a hardcoded list of servers containing information such as:
Historically, Win32/Srizbi has been accused of being responsible for a huge chunk of spam e-mail messages sent in the years after its discovery. We hope to make a positive impact with the addition of Win32/Srizbi into MSRT.
--Vincent Tiu