Srizbi botnet
Encyclopedia
The Srizbi botnet, also known by its aliases of Cbeplay and Exchanger, is the world's largest or second-largest botnet
depending on expert reports, and is responsible for sending out more than half of all the spam
being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan
, which sends spam on command. The botnet suffered a significant setback in November 2008 when hosting provider McColo
was taken down; global spam volumes reduced by up to 75% as a result of this action.
is estimated to be around 450,000 compromised machines, with estimation differences being smaller than 5% among various sources. The botnet is reported to be capable of sending around 60 billion spam messages a day, which is more than half of the total of the approximately 100 billion spam messages sent every day. As a comparison, the highly publicized Storm botnet
only manages to reach around 20% of the total amount of spam sent during its peak periods.
The Srizbi botnet is showing a relative decline after a recent aggressive growth in the amount of spam messages sent out. As of 13 July 2008, the botnet is believed to be responsible for roughly 40% of all the spam on the net, a sharp decline from the almost 60% share in May 2008.
vendors. However, reports indicate that the first released version had already been assembled on 31 March 2007. There is currently no sign of decline in the number of bots involved in the botnet.
The Srizbi botnet by some experts is considered the second largest botnet of the Internet. However, there is controversy surrounding the Kraken botnet
; it may be that Srizbi is the largest botnet today.
. This trojan horse is deployed onto its victim computer through the Mpack
malware
kit. Past editions have used the "n404 web exploit kit" malware kit to spread, but this kit's usage has been deprecated in favor of Mpack
.
The distribution of these malware kits is partially achieved by utilizing the botnet itself. The botnet has been known to send out spam containing links to fake videos about celebrities, which include a link pointing to the malware kit. Similar attempts have been taken with other subjects such as illegal software sales and personal messages. Apart from this self-propagation, the MPack kit is also known for much more aggressive spreading tactics, most notably the compromise of about 10,000 websites in June 2007. These domains, which included a surprising number of pornographic websites, ended up forwarding the unsuspecting visitor to websites containing the MPack program.
Once a computer becomes infected by the trojan horse, the computer becomes known as a bot
, which will then be at the command of the controller of the botnet, commonly referred to as the botnet herder. The operation of the Srizbi botnet is based upon a number of servers which control the utilization of the individual bots in the botnet. These servers are redundant copies of each other, which protects the botnet from being crippled in case a system failure or legal action takes a server down. These servers are generally placed in countries such as Russia
, where law enforcement against digital crime is limited.
of the Srizbi botnet is handled by a program called "Reactor Mailer", which is a Python
-based web component responsible for coordinating the spam sent out by the individual bots in the botnet. Reactor Mailer has existed since 2004, and is currently in its third release, which is also used to control the Srizbi botnet. The software allows for secure login and allows multiple accounts, which strongly suggests that access to the botnet and its spam capacity is sold to external parties (Software as a service
). This is further reinforced by evidence showing that the Srizbi botnet runs multiple batches of spam at a time; blocks of IP address
es can be observed sending different types of spam at any one time. Once a user has been granted access, he or she can utilize the software to create the message they want to send, test it for its SpamAssassin score and after that send it to all the users in a list of e-mail addresses.
Suspicion has arisen that the writer of the Reactor Mailer program might be the same person responsible for the Srizbi trojan, as code analysis shows a code fingerprint that matches between the two programs. If this claim is indeed true, then this coder might well be responsible for the trojan behind another botnet, named Rustock. According to Symantec
, the code used in the Srizbi trojan is very similar to the code found in the Rustock trojan, and could well be an improved version of the latter.
has been credited with being extremely efficient at this task, which explains why Srizbi is capable of sending such high volumes of spam without having a huge numerical advantage in the number of infected computers.
Apart from having an efficient spam engine, the trojan is also very capable in hiding itself from both the user and the system itself, including any products designed to remove the trojan from the system. The trojan itself is fully executed in kernel mode and has been noted to employ rootkit
technologies to prevent any form of detection. By patching the NTFS
file system
driver
s, the trojan will make its files invisible for both the operating system
and any human user utilizing the system. The trojan is also capable of hiding network traffic
it generates by directly attaching NDIS and TCP/IP drivers to its own process, a feature currently unique for this trojan. This procedure has been proven to allow the trojan to bypass both firewall and sniffer protection on the system.
Once the bot is in place and operational, it will contact one of the hardcoded server
s from a list it carries with it. This server will then supply the bot with a zip
file containing a number of files required by the bot to start its spamming business. The following files have been identified to be downloaded:
When these files have been received, the bot will first initialize a software routine which allows it to remove files critical for revealing spam
and rootkit
applications.
After this procedure is done, the trojan will then start sending out the spam message it has received from the control server.
campaign emerging. Unlike the usual messages about counterfeit watches, stocks, or penis enlargement, the mail contained promotional information about United States
presidential candidate Ron Paul
. The Ron Paul
camp dismissed the spam
as being not related to the official presidential campaign. A spokesman told the press: "If it is true, it could be done by a well-intentioned yet misguided supporter or someone with bad intentions trying to embarrass the campaign. Either way, this is independent work, and we have no connection."
The spam was ultimately confirmed as having come from the Srizbi network. Through the capture of one of the control servers involved, investigators learned that the spam message had been sent to up to 160 million e-mail
addresses by as few as 3,000 bot computers. The spammer has only been identified by his Internet handle
"nenastnyj" (Ненастный, means "rainy" or "foul", as in "rainy day, foul weather" in Russian); his or her real identity has not been determined.
. While old, this social engineering
technique remains a proven method of infection for spammers.
The size of this operation shows that the power and monetary income from a botnet is closely based upon its spam capacity: more infected computers translate directly into greater revenue for the botnet controller. It also shows the power botnets have to increase their own size, mainly by using a part of their own strength in numbers.
control of the botnet was transferred to servers hosted in Estonia
. This was accomplished through a mechanism in the trojan horse that queried an algorithmically generated set of domain name
s, one of which was registered by the individuals controlling the botnet. The United States
computer security firm FireEye, Inc.
kept the system out of the controllers' hands for a period of two weeks by preemptively registering the generated domain names but was not in a position to sustain this effort. However the spamming activity was greatly reduced after this control server transfer.
Botnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
depending on expert reports, and is responsible for sending out more than half of all the spam
E-mail spam
Email spam, also known as junk email or unsolicited bulk email , is a subset of spam that involves nearly identical messages sent to numerous recipients by email. Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. One subset of UBE is UCE...
being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
, which sends spam on command. The botnet suffered a significant setback in November 2008 when hosting provider McColo
McColo
McColo was a San Jose-based web hosting service provider. In late 2008, the company was shut down by the two upstream providers, Global Crossing and Hurricane Electric, because a significant amount of malware and botnets had been trafficking from the McColo servers.-History:McColo was formed by a...
was taken down; global spam volumes reduced by up to 75% as a result of this action.
Size
The size of the Srizbi botnetBotnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
is estimated to be around 450,000 compromised machines, with estimation differences being smaller than 5% among various sources. The botnet is reported to be capable of sending around 60 billion spam messages a day, which is more than half of the total of the approximately 100 billion spam messages sent every day. As a comparison, the highly publicized Storm botnet
Storm botnet
The Storm botnet or Storm worm botnet is a remotely controlled network of "zombie" computers that have been linked by the Storm Worm, a Trojan horse spread through e-mail spam...
only manages to reach around 20% of the total amount of spam sent during its peak periods.
The Srizbi botnet is showing a relative decline after a recent aggressive growth in the amount of spam messages sent out. As of 13 July 2008, the botnet is believed to be responsible for roughly 40% of all the spam on the net, a sharp decline from the almost 60% share in May 2008.
Origins
The earliest reports on Srizbi trojan outbreaks were around June 2007, with small differences in detection dates across antivirus softwareAntivirus software
Antivirus or anti-virus software is used to prevent, detect, and remove malware, including but not limited to computer viruses, computer worm, trojan horses, spyware and adware...
vendors. However, reports indicate that the first released version had already been assembled on 31 March 2007. There is currently no sign of decline in the number of bots involved in the botnet.
The Srizbi botnet by some experts is considered the second largest botnet of the Internet. However, there is controversy surrounding the Kraken botnet
Kraken botnet
The Kraken botnet was the world's largest botnet . Researchers say that Kraken infected machines in at least 50 of the Fortune 500 companies and grew to over 400,000 bots. It was estimated to send 9 billion spam messages per day...
; it may be that Srizbi is the largest botnet today.
Spread and botnet composition
The Srizbi botnet consists of computers which have been infected by the Srizbi trojan horseTrojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
. This trojan horse is deployed onto its victim computer through the Mpack
MPack (software)
In computer security, MPack is a PHP-based malware kit produced by Russian crackers. The first version was released in December 2006. Since then a new version is thought to have been released roughly every month. It is thought to have been used to infect up to 160,000 PCs with keylogging software...
malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
kit. Past editions have used the "n404 web exploit kit" malware kit to spread, but this kit's usage has been deprecated in favor of Mpack
MPack (software)
In computer security, MPack is a PHP-based malware kit produced by Russian crackers. The first version was released in December 2006. Since then a new version is thought to have been released roughly every month. It is thought to have been used to infect up to 160,000 PCs with keylogging software...
.
The distribution of these malware kits is partially achieved by utilizing the botnet itself. The botnet has been known to send out spam containing links to fake videos about celebrities, which include a link pointing to the malware kit. Similar attempts have been taken with other subjects such as illegal software sales and personal messages. Apart from this self-propagation, the MPack kit is also known for much more aggressive spreading tactics, most notably the compromise of about 10,000 websites in June 2007. These domains, which included a surprising number of pornographic websites, ended up forwarding the unsuspecting visitor to websites containing the MPack program.
Once a computer becomes infected by the trojan horse, the computer becomes known as a bot
Bot
Bot or BOT may refer to:-Computing:* Bot, another also name for a Web crawler* Bots , an open-source EDI software* BOTS, a computer game* Internet bot, a computer program that does automated tasks...
, which will then be at the command of the controller of the botnet, commonly referred to as the botnet herder. The operation of the Srizbi botnet is based upon a number of servers which control the utilization of the individual bots in the botnet. These servers are redundant copies of each other, which protects the botnet from being crippled in case a system failure or legal action takes a server down. These servers are generally placed in countries such as Russia
Russia
Russia or , officially known as both Russia and the Russian Federation , is a country in northern Eurasia. It is a federal semi-presidential republic, comprising 83 federal subjects...
, where law enforcement against digital crime is limited.
Reactor Mailer
The server-sideServer-side
Server-side refers to operations that are performed by the server in a client–server relationship in computer networking.Typically, a server is a software program, such as a web server, that runs on a remote server, reachable from a user's local computer or workstation...
of the Srizbi botnet is handled by a program called "Reactor Mailer", which is a Python
Python (programming language)
Python is a general-purpose, high-level programming language whose design philosophy emphasizes code readability. Python claims to "[combine] remarkable power with very clear syntax", and its standard library is large and comprehensive...
-based web component responsible for coordinating the spam sent out by the individual bots in the botnet. Reactor Mailer has existed since 2004, and is currently in its third release, which is also used to control the Srizbi botnet. The software allows for secure login and allows multiple accounts, which strongly suggests that access to the botnet and its spam capacity is sold to external parties (Software as a service
Software as a Service
Software as a service , sometimes referred to as "on-demand software," is a software delivery model in which software and its associated data are hosted centrally and are typically accessed by users using a thin client, normally using a web browser over the Internet.SaaS has become a common...
). This is further reinforced by evidence showing that the Srizbi botnet runs multiple batches of spam at a time; blocks of IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
es can be observed sending different types of spam at any one time. Once a user has been granted access, he or she can utilize the software to create the message they want to send, test it for its SpamAssassin score and after that send it to all the users in a list of e-mail addresses.
Suspicion has arisen that the writer of the Reactor Mailer program might be the same person responsible for the Srizbi trojan, as code analysis shows a code fingerprint that matches between the two programs. If this claim is indeed true, then this coder might well be responsible for the trojan behind another botnet, named Rustock. According to Symantec
Symantec
Symantec Corporation is the largest maker of security software for computers. The company is headquartered in Mountain View, California, and is a Fortune 500 company and a member of the S&P 500 stock market index.-History:...
, the code used in the Srizbi trojan is very similar to the code found in the Rustock trojan, and could well be an improved version of the latter.
Srizbi trojan
The Srizbi trojan is the client side program responsible for sending the spam from infected machines. The trojanTrojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
has been credited with being extremely efficient at this task, which explains why Srizbi is capable of sending such high volumes of spam without having a huge numerical advantage in the number of infected computers.
Apart from having an efficient spam engine, the trojan is also very capable in hiding itself from both the user and the system itself, including any products designed to remove the trojan from the system. The trojan itself is fully executed in kernel mode and has been noted to employ rootkit
Rootkit
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications...
technologies to prevent any form of detection. By patching the NTFS
NTFS
NTFS is the standard file system of Windows NT, including its later versions Windows 2000, Windows XP, Windows Server 2003, Windows Server 2008, Windows Vista, and Windows 7....
file system
File system
A file system is a means to organize data expected to be retained after a program terminates by providing procedures to store, retrieve and update data, as well as manage the available space on the device which contain it. A file system organizes data in an efficient manner and is tuned to the...
driver
Device driver
In computing, a device driver or software driver is a computer program allowing higher-level computer programs to interact with a hardware device....
s, the trojan will make its files invisible for both the operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
and any human user utilizing the system. The trojan is also capable of hiding network traffic
Network traffic
Network traffic is data in a network. In computer networks, the data is encapsulated in packets.*Network traffic control*Network traffic measurement*Network traffic simulation...
it generates by directly attaching NDIS and TCP/IP drivers to its own process, a feature currently unique for this trojan. This procedure has been proven to allow the trojan to bypass both firewall and sniffer protection on the system.
Once the bot is in place and operational, it will contact one of the hardcoded server
Server (computing)
In the context of client-server architecture, a server is a computer program running to serve the requests of other programs, the "clients". Thus, the "server" performs some computational task on behalf of "clients"...
s from a list it carries with it. This server will then supply the bot with a zip
ZIP (file format)
Zip is a file format used for data compression and archiving. A zip file contains one or more files that have been compressed, to reduce file size, or stored as is...
file containing a number of files required by the bot to start its spamming business. The following files have been identified to be downloaded:
-
000_data2- mail server domains -
001_ncommall- list of names -
002_senderna- list of possible sender names -
003_sendersu- list of possible sender surnames -
config- Main spam configuration file -
message- HTML message to spam -
mlist- Recipients mail addresses -
mxdata- MX record data
When these files have been received, the bot will first initialize a software routine which allows it to remove files critical for revealing spam
Spam (electronic)
Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately...
and rootkit
Rootkit
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications...
applications.
After this procedure is done, the trojan will then start sending out the spam message it has received from the control server.
Incidents
The Srizbi botnet has been the basis for several incidents which have received media coverage. Several of the most notable ones will be described below here. This is by no means a complete list of incidents, but just a list of the major ones.The "Ron Paul" incident
In October 2007, several anti-spam firms noticed an unusual spamE-mail spam
Email spam, also known as junk email or unsolicited bulk email , is a subset of spam that involves nearly identical messages sent to numerous recipients by email. Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. One subset of UBE is UCE...
campaign emerging. Unlike the usual messages about counterfeit watches, stocks, or penis enlargement, the mail contained promotional information about United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
presidential candidate Ron Paul
Ron Paul
Ronald Ernest "Ron" Paul is an American physician, author and United States Congressman who is seeking to be the Republican Party candidate in the 2012 presidential election. Paul represents Texas's 14th congressional district, which covers an area south and southwest of Houston that includes...
. The Ron Paul
Ron Paul
Ronald Ernest "Ron" Paul is an American physician, author and United States Congressman who is seeking to be the Republican Party candidate in the 2012 presidential election. Paul represents Texas's 14th congressional district, which covers an area south and southwest of Houston that includes...
camp dismissed the spam
E-mail spam
Email spam, also known as junk email or unsolicited bulk email , is a subset of spam that involves nearly identical messages sent to numerous recipients by email. Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. One subset of UBE is UCE...
as being not related to the official presidential campaign. A spokesman told the press: "If it is true, it could be done by a well-intentioned yet misguided supporter or someone with bad intentions trying to embarrass the campaign. Either way, this is independent work, and we have no connection."
The spam was ultimately confirmed as having come from the Srizbi network. Through the capture of one of the control servers involved, investigators learned that the spam message had been sent to up to 160 million e-mail
E-mail
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
addresses by as few as 3,000 bot computers. The spammer has only been identified by his Internet handle
User (computing)
A user is an agent, either a human agent or software agent, who uses a computer or network service. A user often has a user account and is identified by a username , screen name , nickname , or handle, which is derived from the identical Citizen's Band radio term.Users are...
"nenastnyj" (Ненастный, means "rainy" or "foul", as in "rainy day, foul weather" in Russian); his or her real identity has not been determined.
Malicious spam tripling volumes in a week
In the week from 20 June 2008 Srizbi managed to triple the amount of malicious spam sent from an average 3% to 9.9%, largely due to its own effort. This particular spam wave was an aggressive attempt to increase the size of the Srizbi botnet by sending e-mails to users which warned them that they had been videotaped naked. Sending this message, which is a kind of spam referred to as "Stupid Theme", was an attempt to get people to click the malicious link included in the mail, before realizing that this message was most likely spamSpam (electronic)
Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately...
. While old, this social engineering
Social engineering (security)
Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information...
technique remains a proven method of infection for spammers.
The size of this operation shows that the power and monetary income from a botnet is closely based upon its spam capacity: more infected computers translate directly into greater revenue for the botnet controller. It also shows the power botnets have to increase their own size, mainly by using a part of their own strength in numbers.
Server relocation
In late November 2008 after the removal of the control servers hosted by McColoMcColo
McColo was a San Jose-based web hosting service provider. In late 2008, the company was shut down by the two upstream providers, Global Crossing and Hurricane Electric, because a significant amount of malware and botnets had been trafficking from the McColo servers.-History:McColo was formed by a...
control of the botnet was transferred to servers hosted in Estonia
Estonia
Estonia , officially the Republic of Estonia , is a state in the Baltic region of Northern Europe. It is bordered to the north by the Gulf of Finland, to the west by the Baltic Sea, to the south by Latvia , and to the east by Lake Peipsi and the Russian Federation . Across the Baltic Sea lies...
. This was accomplished through a mechanism in the trojan horse that queried an algorithmically generated set of domain name
Domain name
A domain name is an identification string that defines a realm of administrative autonomy, authority, or control in the Internet. Domain names are formed by the rules and procedures of the Domain Name System ....
s, one of which was registered by the individuals controlling the botnet. The United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
computer security firm FireEye, Inc.
FireEye, Inc.
FireEye is a Milpitas, California-based network security company that provides dynamic malware protection and automated threat forensics. Its main product line is the Malware Protection System with versions for Web security, Email security, and Malware Analysis researchers.-History:FireEye was...
kept the system out of the controllers' hands for a period of two weeks by preemptively registering the generated domain names but was not in a position to sustain this effort. However the spamming activity was greatly reduced after this control server transfer.
See also
- BotnetBotnetA botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
- Storm botnetStorm botnetThe Storm botnet or Storm worm botnet is a remotely controlled network of "zombie" computers that have been linked by the Storm Worm, a Trojan horse spread through e-mail spam...
- MPack malware kitMPack (software)In computer security, MPack is a PHP-based malware kit produced by Russian crackers. The first version was released in December 2006. Since then a new version is thought to have been released roughly every month. It is thought to have been used to infect up to 160,000 PCs with keylogging software...
- E-mail spamE-mail spamEmail spam, also known as junk email or unsolicited bulk email , is a subset of spam that involves nearly identical messages sent to numerous recipients by email. Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. One subset of UBE is UCE...
- Internet crime
- Internet securityInternet securityInternet security is a branch of computer security specifically related to the Internet. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet represents an insecure channel for exchanging information leading to a high risk of intrusion or fraud,...
- Operation: Bot RoastOperation: Bot RoastOperation: Bot Roast is an operation by the FBI to track down bot herders, crackers, or virus coders who install malicious software on computers through the Internet without the owners’ knowledge, which turns the computer into a zombie computer that then sends out spam to other computers from the...
- ShadowserverShadowserverThe Shadowserver Foundation is a volunteer group of professional Internet security workers that gathers, tracks and reports on malware, botnet activity and electronic fraud. It aims to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious...