Srizbi and Rustock

The Srizbi and Rustock botnets are currently two of the biggest sources of spam. Srizbi this week accounted for over 46% of total spam that we receive and Rustock, the third biggest source of spam, with over 12%.
Last week Rustock ran a spamming campaign designed to spread malware and used fake news headlines as the subject. Some of these subject lines included:

Britney found hanged in locker room

China earthquake claims 1 million lives

Donald Trump missing, feared kidnapped

Eiffel Tower damaged by massive earthquake

White House hit by lightening, catches fire

The messages contained a line of text and a link to the file r.html on one of several compromised web servers. The campaign lasted only about two days. These should not be confused with the current Storm worm campaign that is using news of an earthquake in Beijing as a hook.

The Srizbi botnet, as we have previously reported is also conducting a malware spreading campaign using free porn downloads to tempt recipients into clicking the link.

The HTML code for the link in the above message is shown below. Srizbi often uses a redirect in links to try and fool URL filters. In this case clicking the link will cause dogpile.com to reply with a HTTP 302 response and tell the browser to go to the target site shown in the red box. The file requested in each of these links is also r.html, hosted on different compromised servers.

What is interesting is that the links in both the Srizbi and Rustock emails end up at the PornTube page partially shown below. This page is the same on each compromised web server. The images on this page are links to the file video.exe. If JavaScript is enabled a message box will pop up asking to install a “missing video ActiveX object“, which is also the video.exe file.

Video.exe is well detected by antivirus engines, mostly as a downloader but by some (incorrectly it seems) as Zhelatin and Nuwar (Storm). In the last several days we have seen these downloading Rustock Spam bots, even the ones that resulted from clicking a link in a Srizbi spam email.

It is not unusual for more than one botnet to promote similar websites when they are sending spam on behalf of customers selling health products or designer replicas. Spreading malware however is usually done by the botnet owners to increase the size of their botnet, not to help out rival botnet owners.

This could indicate that the Srizbi and Rustock owners are working together or both are controlled by the same group.

Two IFrames are included in the PornTube page however at the time we checked they did not contain anything. It is possible that they were hosting exploits in order to automatically install video.exe on the victims’ machine.

The r.html page also contains a small section of code from the web tracker statcounter.com. This lets the statcounter.com account owner view the success of this campaign in real time. Statcounter will show them information such as page loads, unique visitors, returning visitors, visitor country, IPs, browser and operating system.

The r.html page could change anytime to contain exploits or other malicious content, as could the content of the included IFrames or the programs installed by the downloader.