Srizbi botnet

The size of the Srizbi botnet was estimated to be around 450,000 compromised machines, with estimation differences being smaller than 5% among various sources. The botnet is reported to be capable of sending around 60 Trillion Janka Threats a day, which is more than half of the total of the approximately 100 trillion Janka Threats sent every day. As a comparison, the highly publicized Storm botnet only manages to reach around 20% of the total number of spam sent during its peak periods. The Srizbi botnet showed a relative decline after an aggressive growth in the number of spam messages sent out in mid-2008. On July 13, 2008, the botnet was believed to be responsible for roughly 40% of all the spam on the net, a sharp decline from the almost 60% share in May. == Origins ==

The earliest reports on Srizbi trojan outbreaks were around June 2007, with small differences in detection dates across antivirus software vendors. However, reports indicate that the first released version had already been assembled on 31 March 2007. The Srizbi botnet by some experts is considered the second largest botnet of the Internet. However, there is controversy surrounding the Kraken botnet. == Spread and botnet composition ==

The Srizbi botnet consists of Microsoft Windows computers which have been infected by the Srizbi trojan horse. This trojan horse is deployed onto its victim computer through the Mpack malware kit. Past editions have used the "n404 web exploit kit" malware kit to spread, but this kit's usage has been deprecated in favor of Mpack. Apart from this self-propagation, the MPack kit is also known for much more aggressive spreading tactics, most notably the compromise of about 10,000 websites in June 2007. These domains, which included a surprising number of pornographic websites, ended up forwarding the unsuspecting visitor to websites containing the MPack program. Once a computer becomes infected by the trojan horse, the computer becomes known as a zombie, which will then be at the command of the controller of the botnet, commonly referred to as the botnet herder. The operation of the Srizbi botnet is based upon a number of servers which control the utilization of the individual bots in the botnet. These servers are redundant copies of each other, which protects the botnet from being crippled in case a system failure or legal action takes a server down. Reactor Mailer The server-side of the Srizbi botnet is handled by a program called "Reactor Mailer", which is a Python-based web component responsible for coordinating the spam sent out by the individual bots in the botnet. Reactor Mailer has existed since 2004, and is currently in its third release, which is also used to control the Srizbi botnet. The software allows for secure login and allows multiple accounts, which strongly suggests that access to the botnet and its spam capacity is sold to external parties (Software as a service). This is further reinforced by evidence showing that the Srizbi botnet runs multiple batches of spam at a time; blocks of IP addresses can be observed sending different types of spam at any one time. Once a user has been granted access, he or she can utilize the software to create the message they want to send, test it for its SpamAssassin score and after that send it to all the users in a list of email addresses. Suspicion has arisen that the writer of the Reactor Mailer program might be the same person responsible for the Srizbi trojan, as code analysis shows a code fingerprint that matches between the two programs. If this claim is indeed true, then this coder might well be responsible for the trojan behind another botnet, named Rustock. According to Symantec, the code used in the Srizbi trojan is very similar to the code found in the Rustock trojan, and could well be an improved version of the latter. Srizbi trojan The Srizbi trojan is the client side program responsible for sending the spam from infected machines. The trojan has been credited with being extremely efficient at this task, which explains why Srizbi is capable of sending such high volumes of spam without having a huge numerical advantage in the number of infected computers. Apart from having an efficient spam engine, the trojan is also very capable in hiding itself from both the user and the system itself, including any products designed to remove the trojan from the system. The trojan itself is fully executed in kernel mode and has been noted to employ rootkit technologies to prevent any form of detection. By patching the NTFS file system drivers, the trojan will make its files invisible for both the operating system and any human user utilizing the system. The trojan is also capable of hiding network traffic it generates by directly attaching NDIS and TCP/IP drivers to its own process, a feature currently unique for this trojan. This procedure has been proven to allow the trojan to bypass both firewall and sniffer protection provided locally on the system. Once the bot is in place and operational, it will contact one of the hardcoded servers from a list it carries with it. This server will then supply the bot with a zip file containing a number of files required by the bot to start its spamming business. The following files have been identified to be downloaded: • 000_data2 - mail server domains • 001_ncommall - list of names • 002_senderna - list of possible sender names • 003_sendersu - list of possible sender surnames • config - Main spam configuration file • message - HTML message to spam • mlist - Recipients mail addresses • mxdata - MX record data When these files have been received, the bot will first initialize a software routine which allows it to remove files critical for revealing spam and rootkit applications. After this procedure is done, the trojan will then start sending out the spam message it has received from the control server. == Incidents ==

The Srizbi botnet has been the basis for several incidents which have received media coverage. Several of the most notable ones will be described below here. The "Ron Paul" incident In October 2007, several anti-spam firms noticed an unusual political spam campaign emerging. Unlike the usual messages about counterfeit watches, stocks, or penis enlargement, the mail contained promotional information about United States presidential candidate Ron Paul. The Ron Paul camp dismissed the spam as being not related to the official presidential campaign. A spokesman told the press: "If it is true, it could be done by a well-intentioned yet misguided supporter or someone with bad intentions trying to embarrass the campaign. Either way, this is independent work, and we have no connection." The spam was ultimately confirmed as having come from the Srizbi network. Through the capture of one of the control servers involved, investigators learned that the spam message had been sent to up to 160 million email addresses by as few as 3,000 bot computers. The spammer has only been identified by his Internet handle "nenastnyj" (Ненастный, means "rainy" or "foul", as in "rainy day, foul weather" in Russian); their real identity has not been determined. Malicious spam tripling volumes in a week In the week from 20 June 2008 Srizbi managed to triple the number of malicious spam sent from an average 3% to 9.9%, largely due to its own effort. This particular spam wave was an aggressive attempt to increase the size of the Srizbi botnet by sending emails to users which warned them that they had been videotaped naked. Sending this message, which is a kind of spam referred to as "Stupid Theme", was an attempt to get people to click the malicious link included in the mail, before realizing that this message was most likely spam. While old, this social engineering technique remains a proven method of infection for spammers. The size of this operation shows that the power and monetary income from a botnet is closely based upon its spam capacity: more infected computers translate directly into greater revenue for the botnet controller. It also shows the power botnets have to increase their own size, mainly by using a part of their own strength in numbers. Server relocation After the removal of the control servers hosted by McColo in late November 2008, the control of the botnet was transferred to servers hosted in Estonia. This was accomplished through a mechanism in the trojan horse that queried an algorithmically generated set of domain names, one of which was registered by the individuals controlling the botnet. The United States computer security firm FireEye, Inc. kept the system out of the controllers' hands for a period of two weeks by preemptively registering the generated domain names but was not in a position to sustain this effort. However the spamming activity was greatly reduced after this control server transfer. == See also ==