Srizbi botnet

Srizbi botnet

The Srizbi botnet, also known by its aliases of Cbeplay and Exchanger, is the world's largest or second-largest botnet depending on expert reports, and is responsible for sending out more than half of all the spam being sent by all the major botnets combined.cite news | last = Jackson Higgins| first = Kelly | title = Srizbi Botnet Sending Over 60 Billion Spams a Day | publisher = Dark Reading | date = May 8 2008 | url = http://www.darkreading.com/document.asp?doc_id=153271 | accessdate = 2008-07-20] cite news | last = Pauli| first = Darren | title = Srizbi Botnet Sets New Records for Spam | publisher = PC World | date = May 8 2008 | url = http://www.pcworld.com/businesscenter/article/145631/srizbi_botnet_sets_new_records_for_spam.html | accessdate = 2008-07-20] The botnets consist of computers infected by the Srizbi trojan, which sends spam on command.

Size

The size of the Srizbi botnet is estimated to be around 315,000 compromised machines, with estimation differences being smaller than 5% among various sources. [cite news | last = Popa| first = Bogdan| title = Meet Srizbi, the Largest Botnet Ever | publisher = Softpedia | date = April 10 2008 | url = http://news.softpedia.com/news/Meet-Srizbi-The-Largest-Botnet-Ever-82992.shtml | accessdate = 2008-07-20] The botnet is reported to be capable of sending around 60 billion spam messages a day, which is more than half of the total of the approximately 100 billion spam messages sent every day. As a comparison, the highly publicized storm botnet only manages to reach around 20% of the total amount of spam sent during its peak periods.cite news | last = E. Dunn| first = John| title = Srizbi Grows Into World's Largest Botnet | publisher = CSO Online | date = May 13 2008 | url = http://www.csoonline.com/article/356219/Srizbi_Grows_Into_World_s_Largest_Botnet | accessdate = 2008-07-20]

The Srizbi botnet is showing a slight decline after a recent aggressive growth in the amount of spam messages sent out. As of 13 July 2008, the botnet is believed to be responsible for roughly 40% of all the spam on the net, a sharp decline from the almost 60% market share in May 2008.cite news | first = Marshall| title = Spam statistics from TRACE | publisher = Marshall | date = July 13 2008 | url = http://www.marshal.com/TRACE/spam_statistics.asp | accessdate = 2008-07-20]

Origins

The earliest reports on Srizbi trojan outbreaks were around June 2007, with small differences in detection dates across antivirus software vendors.cite news | title = Trojan.Srizbi | publisher = Symantec| date = July 23 2007 | url = http://www.symantec.com/security_response/writeup.jsp?docid=2007-062007-0946-99&tabid=1 | accessdate = 2008-07-20] cite news | title = Troj/RKAgen-A Trojan (Rootkit.Win32.Agent.ea, Trojan.Srizbi) - Sophos security analysis | publisher = Sophos| date = August 2007 | url = http://www.sophos.com/security/analyses/viruses-and-spyware/trojrkagena.html | accessdate = 2008-07-20] However, reports indicate that the first released version had already been assembled on 31 March 2007.cite news | last = Stewart| first = Joe| title = Inside the "Ron Paul" Spam Botnet | publisher = SecureWorks | date = December 4 2007 | url = http://www.secureworks.com/research/threats/ronpaul/?threat=ronpaul | accessdate = 2008-07-20] Ever since its creation, Srizbi has been growing at an extremely rapid pace, making the botnet the largest generator of spam messages, less than one year into its existence. There is currently no sign of decline in the number of bots involved in the botnet.

The Srizbi botnet by some experts is considered the second largest botnet of the Internet. However, due to controversy surrounding the the Kraken botnet [http://www.darkreading.com/document.asp?doc_id=150292&WT.svl=news1_1] [http://www.trustedsource.org/TS?do=threats&subdo=blog&id=32] [http://www.f-secure.com/weblog/archives/00001418.html] it may be that Srisbi is the largest botnet today.

Spread and botnet composition

The Srizbi botnet consists of computers which have been infected by the Srizbi trojan horse. This trojan horse is deployed onto its victim computer through the Mpack malware kit.cite news | last = Keizer | first = Gregg | title = Mpack installs ultra-invisible Trojan | publisher = ComputerWorld | date = July 5 2007 | url = http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9026323 | accessdate = 2008-07-20] Past editions have used the "n404 web exploit kit" malware kit to spread, but this kit's usage has been deprecated in favor of Mpack.

The distribution of these malware kits is partially achieved by utilizing the botnet itself. The botnet has been known to send out spam containing links to fake videos about celebrities, which include a link pointing to the malware kit. Similar attempts have been taken with other subjects such as illegal software sales and personal messages.cite news | last = Blog | first = TRACE| title = Srizbi uses multi-pronged attack to spread malware | publisher = Marshal Limited| date = March 7 2008 | url = http://www.marshal.com/trace/traceitem.asp?article=595&thesection=trace | accessdate = 2008-07-20] [cite news | last = McKenzie| first = Grey| title = Srizbi Botnet Is Largely Responsible for Recent Sharp Increase In Spam | publisher = National Cyber Security| date = June 25 2008 | url = http://www.nationalcybersecurity.com/blogs/778/-Srizbi-Botnet-Is-Largely-Responsible-for-Recent-Sharp-Increase-In-Spam.html | accessdate = 2008-07-20] cite news | title = Srizbi spam uses celebrities as lures | publisher = TRACE Blog| date = February 20 2008 | url = http://www.marshal.com/trace/traceitem.asp?article=568&thesection=trace | accessdate = 2008-07-20] Apart from this self-propagation, the MPack kit is also known for much more aggressive spreading tactics, most notably the compromise of about 10,000 websites in June 2007. cite news | last = Keizer | first = Gregg | title = Hackers compromise 10k sites, launch 'phenomenal' attack | publisher = ComputerWorld | date = June 10 2007 | url = http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025198 | accessdate = 2008-07-20] These domains, which included a surprising number of pornographic websites, [cite news | last = Keizer | first = Gregg | title = Porn sites serve up Mpack attacks | publisher = ComputerWorld | date = June 22 2007 | url = http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025578 | accessdate = 2008-07-20] ended up forwarding the unsuspecting visitor to websites containing the MPack program.

Once a computer becomes infected by the trojan horse, the computer becomes known as a bot, which will then be at the command of the owner of the botnet, commonly referred to as the botnet herder.cite news | title = Spying on bot nets becoming harder | publisher = SecurityFocus| date = October 12 2006 | url = http://www.securityfocus.com/brief/328 | accessdate = 2008-07-20] The operation of the Srizbi botnet is based upon a number of servers which control the utilization of the individual bots in the botnet. These servers are redundant copies of each other, which protects the botnet from being crippled in case a system failure or legal action takes a server down. These servers are generally placed in countries such as Russia, where law enforcement against digital crime is limited.

Reactor Mailer

The server-side of the Srizbi botnet is handled by a program called "Reactor Mailer", which is a Python-based web component responsible for coordinating the spam sent out by the individual bots in the botnet. Reactor Mailer has existed since 2004, and is currently in its third release, which is also used to control the Srizbi botnet. The software allows for secure login and allows multiple accounts, which strongly suggests that access to the botnet and its spam capacity is sold to external parties (Software as a service). This is further reinforced by evidence showing that the Srizbi botnet runs multiple batches of spam at a time; blocks of IP addresses can be observed sending different types of spam at any one time. Once a user has been granted access, he or she can utilize the software to create the message they want to send, test it for its spam assassin score and after that send it to all the users in a list of e-mail addresses.

Suspicion has arisen that the writer of the Reactor Mailer program might be the same person responsible for the Srizbi trojan, as code analysis shows a code fingerprint that matches between the two programs. If this claim is indeed true, then this coder might well be responsible for the trojan behind another botnet, named Rustock. According to Symantec, the code used in the Srizbi trojan is very similar to the code found in the Rostock trojan, and could well be an improved version of the latter.cite news | last = Hayashi | first = Kaoru| title ="Spam from the Kernel: Full-Kernel Malware Installed by MPack" | publisher = Symantec | date = June 29 2007 | url = https://forums.symantec.com/syment/blog/article?message.uid=305311 | accessdate = 2008-07-20]

Srizbi trojan

The Srizbi trojan is the client side program responsible for sending the spam from infected machines. The trojan has been credited with being extremely efficient at this task, which explains why Srizbi is capable of sending such high volumes of spam without having a huge numerological advantage in the number of infected computers.

Apart from having an efficient spam engine, the trojan is also very capable in hiding itself from both the user and the system itself, including any products designed to remove the trojan from the system. The trojan itself is fully executed in kernel modus and has been noted to employ rootkit-like technologies to prevent any form of detection. By patching the NTFS file system drivers, the trojan will make its files invisible for both the operating system and any human user utilizing the system. The trojan is also capable of hiding network traffic it generates by directly attaching NDIS and TCP/IP drivers to its own process, a feature currently unique for this trojan. This procedure has been proved to allow the trojan to bypass both firewall and sniffer protection on the system.

Once the bot is in place and operational, it will contact one of the hardcoded servers from a list it carries with it. This server will then supply the bot with a zip file containing a number of files required by the bot to start its spamming business. The following files have been identified to be downloaded:

# 000_data2 - mail server domains
# 001_ncommall - list of names)
# 002_senderna - list of possible sender names
# 003_sendersu - list of possible sender surnames
# config - Main spam configuration file
# message - HTML message to spam
# mlist - Recipients mail addresses
# mxdata - MX record data

When these files have been received, the bot will first initialize a software routine which allows it to remove files critical for revealing spam and rootkit applications. After this procedure is done, the trojan will then start sending out the spam message it has received from the control server.

Incidents

The Srizbi botnet has been the basis for several incidents which have received media coverage in the regular media. Several of the most notable ones will be described below here. This is by no means a complete list of incidents, but just a list of the major ones.

The "Ron Paul" incident

In October 2007, several anti-spam firms noticed an unusual spam campaign emerging. Unlike the usual messages about counterfeit watches, stocks or penis enlargement, the mail contained promotional information about United States presidential candidate Ron Paul. The Ron Paul camp dismissed the spam as being not related to the official presidential campaign. A spokesman told the press "If it is true, it could be done by a well-intentioned yet misguided supporter or someone with bad intentions trying to embarrass the campaign. Either way, this is independent work, and we have no connection."cite news | last = Cheng | first = Jacqui| title = Researchers: Ron Paul campaign e-mails originating from spambots | publisher = ARS Technica| date = October 31 2007 | url = http://arstechnica.com/news.ars/post/20071031-ron-paul-camp-gets-over-enthusiastic-with-spam.html | accessdate = 2008-07-20]

Later, the spam was confirmed as coming from the Srizbi network.cite news | last = Paul| first = Ryan| title = Researchers track Ron Paul spam back to Reactor botnet | publisher = ARS Technica| date = December 6 2007 | url = http://arstechnica.com/news.ars/post/20071206-researchers-track-ron-paul-spam-back-to-reactor-botnet.html | accessdate = 2008-07-20] Through the capture of one of the control servers involved, investigators learned that the spam message had been sent to up to 160 million e-mail addresses by as few as 3,000 bot computers. The spammer himself has only been identified by his internet handle "nenastnyj"; his or her real identity has not been determined.

Malicious spam tripling volumes in a week

In the week from 20 June 2008 Srizbi managed to triple the amount of malicious spam send from an average 3% to 9.9%, largely due to its own effort. [cite news | last = Salek| first = Negar| title = One of the biggest threats to Internet users today: Srizbi | publisher = SC Magazine| date = June 25 2008 | url = http://www.securecomputing.net.au/News/115170,one-of-the-biggest-threats-to-internet-users-today-srizbi.aspx | accessdate = 2008-07-20] This particular spam wave was an aggressive attempt to increase the size of the Srizbi botnet by sending e-mails to users which warned them that they had been videotaped naked. [cite news | title = The Naked Truth About the Srizbi Botnet | publisher = Protect Web Form Blog| date = May 19 2008 | url = http://blog.protectwebform.com/p/45 | accessdate = 2008-07-20] Sending this message, which is a kind of spam referred to as "Stupid Theme", was an attempt to get people to click the malicious link included in the mail, before realizing that this message was most likely spam. While old, this social engineering technique has still been proved effective for the means of spammers.

The size of this operation shows that the power and monetary income from a botnet is closely based upon its spam capacity: more infected computers translate directly into greater revenue for the botnet owner. It also shows the power botnets have to increase their own size, mainly by using a part of their own strength in numbers.cite news | last = Walsh| first = Sue| title = Spam Volume Triples In A Week | publisher = All Spammed Up| date = June 27 2008 | url = http://www.allspammedup.com/2008/06/spam-volume-triples-in-a-week/ | accessdate = 2008-07-20]

See also

*Botnet
*Storm botnet
*MPack malware kit
*E-mail spam
*Internet crime
*Internet security
*

References


Wikimedia Foundation. 2010.

Игры ⚽ Нужна курсовая?

Look at other dictionaries:

  • Srizbi botnet — Botnet Srizbi Le botnet Srizbi, aussi connu sous les noms de Cbepblay et Exchanger, est réputé être le plus grand ou le deuxième plus grand botnet et est responsable de la transmission de la moitié du pourriel qui transite par l ensemble des… …   Wikipédia en Français

  • Botnet — is a jargon term for a collection of software robots, or bots, that run autonomously and automatically. The term is often associated with malicious software but it can also refer to the network of computers using distributed computing… …   Wikipedia

  • Srizbi — ist derzeit eines der größten Botnetze und einer der Hauptverantwortlichen für die globale Spamflut, die mit Hilfe vom Spam Relays verursacht wird (gemäß Marshal Limited werden 39% aller Spammails via Srizbi versendet).[1] Srizbi hat das bekannte …   Deutsch Wikipedia

  • Botnet Srizbi — Le botnet Srizbi, aussi connu sous les noms de Cbepblay et Exchanger, est réputé être le plus grand ou le deuxième plus grand botnet et est responsable de la transmission de la moitié du spam qui transite par l ensemble des botnets… …   Wikipédia en Français

  • Botnet — Un botnet est un ensemble de bots informatiques qui sont reliés entre eux. Historiquement, ce terme s est d abord confondu avec des robots IRC (bien que le terme ne se limitait pas à cet usage spécifique), qui était un type de botnet particulier… …   Wikipédia en Français

  • Botnet Storm — Demande de traduction Storm botnet → …   Wikipédia en Français

  • Botnet Mariposa — Mariposa, qui signifie papillon en espagnol, est un des plus imposant botnet mis au jour en début d année 2010. Selon les enquêteurs, 13 millions de machines zombies seraient infectées et donc contrôlées à des fins malveillantes[1]. Ce botnet se… …   Wikipédia en Français

  • Storm botnet — Botnet Storm Le Botnet Storm ou Storm worm botnet est un réseau commandé à distance de machines zombies (ou botnet ), qui ont été connectées par le Storm Worm, un cheval de Troie répandu par pourriel (communication électronique non sollicitée).… …   Wikipédia en Français

  • Botnet — Ablauf der Entstehung und Verwendung von Botnetzen: 1. Infizierung ungeschützter Computer, 2. Eingliederung in das Botnet, 3. Botnetbetreiber verkauft Dienste des Botnets, 4./5. Ausnutzung des Botsnets, etwa für den Versand von Spam Ein Botnet… …   Deutsch Wikipedia

  • Mega-D botnet — The Mega D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending between 30% and 35% of spam worldwide.[1][2][3] On October 14, 2008, the U.S Federal Trade Commission, in cooperation with Marshal Software,… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”