«  m86security.com

Srizbi

 

March 20, 2009

Aliases

  • CbePlay
  • Exchanger

Comments

Throughout most of 2008, Srizbi was the undisputed spam king.  At times, Srizbi was responsible for up to 50% of the spam observed by Marshal. At its height the botnet comprised at least  400,000 bots and could send 60-80 billion spam messages per day. However the shutdown of hosting company McColo in November 2008 disrupted its control servers and Srizbi never recovered.  Another bot, Xarvester , which shares common characteristics, appears to have picked up where Srizbi left off.  The Srizbi spambot itself is extremely stealthy. It hides on the system using a advanced rootkit and operates in full kernel mode using its own TCP stack, making it difficult to detect and observe.

Features

  • Reports to C&C server on port 4099, uses HTTP
  • No DNS MX lookups to spam, instead downloads list of IP addresses.
  • Employs a rootkit
  • Operates in kernel with own TCP stack

Spamming Rate 

  • 8000 messages per hour per bot

Command and Control

From the samples that we examined, Srizbi connected to the following IP address to connect to its control server:

  • 208.72.168.xxx
  • 208.72.169.164 (McColo)

Our samples used the HTTP protocol on port 4099.

The following HTTP request was used:

GET /g/EEBF96-BA5C79-8800E7 HTTP/1.1
Host: 208.72.168.188
X-Flags: 0
X-TM: 731
X-BI: D9CBD9C2CBD6C3C4D9DE98
X-PH: 0

POST /m/B7F2CA-BCD8F3-0C00FF HTTP/1.1
Content-Length: 13819
X-Flags: 0
X-TM: 30
X-BI: D9CBD9C2CBD6C3C4D9DE98
X-PH: 0

Malware Behavior on Host

There are several kernel-mode rootkit drivers which Srizbi drops, which include functionality such as downloading other malicious files, bypassing firewall and antivirus scanners, stealth from users and spamming routines.

  • \%SystemRoot%\System32\ bot.sys
  • \%SystemRoot%\System32\ windbg48.sys
  • \%SystemRoot%\System32\symavc32.sys
  • \%SystemRoot%\System32\grande48.sys

Some samples may drop files with random names in the following format:

  • \%SystemRoot%\System32\<3-6 Random Alphabet><2 Random Numeric>.sys   

(where %SystemRoot% is a Windows directory and default folder maybe "c:\windows")

A batch file is created to delete the original executable file after dropping the rootkit driver.

  • %temp%\_it.bat - the batch file was create by the malware to delete itself
  • %temp%\_uninsep.bat - the batch file was create by the malware to delete itself

(where %temp% is a Temporary file directory, default folder maybe c:\Documents and Settings\<UserName>\Local Settings\Temp)

Srizbi also adds the following registry entry to automatically start the bot as a service when Windows boots up:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<malware name>

 


Last Reviewed: April 20, 2009