User:Excirial/Playground2

 Excirial

   {| class="table" align="center" !

The Srizbi Botnet, also known by its aliases of Cbeplay and Exchanger the worlds second largest botnet, and is responsible for sending out more then half of all the spam being sent by all the major botnets combined. The botnets consists out of computers infected by the Srizbi trojan, which sends spam on command.

Size
The size of the Srizbi Botnet is estimated to be around 315.000 compromised machines, with estimation differences being smaller then 5% between various sources. The botnet is reported to be capable of sending around 60 billion spam messages a day, which is more then half of the total of the about 100 billion spam messages that are send every day. As a comparison, the highly publicizes storm botnet only managed to reach around 20 percent of the total amount of spam sent during its peak periods.

The Srizbi Botnet botnet is showing a slight decline after a recent aggressive growth in the amount of spam messages sent out. As of 13 juli 2008 the botnet is believed to be responsible for roughly 40% of all the spam on the net, a sharp decline from the almost 60% market share in may 2008.

Origins
The earliest reports on Srizbi trojan outbreaks are based around June 2007 with small differences in detection dates across anti virus software vendors. However, reports indicate that the first released version had already been assembled on 31 march, 2007. Ever since its creation, Srizbi has been growing at an extremely rapid pace, making the botnet the second largest in amount of bots (Only second to Kraken), and the largest generator of spam messages in under one year into its existence, with currently no sign of decline in the amount bots involved in the botnet.

Spread and Botnet Composition
The Srizbi botnet consists out of computers which have been infected by the Srizbi.Trojan trojan horse. This trojan horse is deployed onto its victim computer trough a malware kit, more specifically the Mpack malware kit. Past editions have used the "n404 web exploit kit" malware kit to spread, but this kit's usage has been disbanded in favor of Mpack.

The distribution of these malware kits are partially done by utilizing the botnet itself. The botnet has been known to send out spam containing links to fake video's about celebrities, which included a link pointing to the malware kit. Similar attempts have been taken with other subjects such as illegal software sales and personal messages Apart from this self propagation the MPack kit is also known for much more aggressive spreading tactics, most notably the compromise of about 10.000 websites in June 2007. These domains, which included a surprising number or pornographic websites, ended up forwarding the unsuspecting visitor to websites containing the MPack program.

Once a computer becomes infected by a trojan horse, the computer becomes to be known as a Bot, which will then be at the command of the owner of the botnet, commonly referred to a the botnet herder. The operation of the Srizbi botnet is based upon a number of servers which control the utilization of the individual bots in the botnet. These servers are redundant copies for each other, in order to protect the botnet from being crippled in case system failure or legal action takes a server down. Generally taken these servers are placed in countries such as Russia where enforcement against digital crime is low in numbers.

Reactor Mailer
The server-side of the Srizbi botnet is handled by a program called "Reactor Mailer", which is a Python based web component responsible for coordinating the spam send out by the individual bots in the botnet. Reactor mailer has been around since 2004, and is currently in its third release, which is also used to control the Srizbi botnet. The software allows for secure login and allows multiple accounts, which highly suggests that access to the botnet and its spam capacity is sold to external parties (Software as a service). This is further reinforced by evidence showing that the Srizbi botnet runs multiple batches of spam at the time; Blocks of IP addresses can be observed sending different types of spam at any one time. Once a user has been granted access, he or she can utilize the software to create the message they want to send, test it for its spam assassin score and after that send it to all the users in a list of e-mail addresses.

Suspicion has arisen that the writer of the Reactor mailer program might actually be the same person responsible for the Srizbi trojan, as code analysis shows a code fingerprint that matches between the two programs. If this claim is indeed true, then this coder might well be responsible for the trojan behind another botnet, named Rustock. According to Symantec the code used in the Srizbi trojan is very similar to the code found in the Rostock trojan, and could well be an improved version of the latter.

Srizbi Trojan
The Srizbi trojan is the client side program responsible for sending the spam from infected machines. The trojan has been credited for being extremely efficient at this task, which explains why srizbi is capable of sending such high volumes of spam without having a huge numerological advantage in the number of infected computers.

Apart from having an efficient spam engine, the trojan is also very capable in hiding itself from both the user and the system itself, including any products designed to remove the trojan from the system. The trojan itself is fully executed in kernel modus and has been noted to employ rootkit like technologies to prevent any form of detection. By patching the NTFS file system drivers, the trojan will make its files invisible for both the operating system and any human user utilizing the system. The trojan is also capable of hiding network traffic it generates by directly attaching NDIS and TCP/IP drivers to its own process, a feature currently unique for this trojan. This procedure has been proved to allow the trojan to bypass both firewall and sniffer protection on the system.

Once the bot is in place and operational, it will contact one of the hardcoded servers from a list it carries with it. This server will then supply the bot with a zip file containing a number of files required by the bot to start its spamming business. The following files have been identified to be downloaded:


 * 1)   - mail server domains
 * 2)   - list of names)
 * 3)   - list of possible sender names
 * 4)   - list of possible sender surnames
 * 5)   - Main spam configuration file
 * 6)   - HTML message to spam
 * 7)   - Recipients mail addresses
 * 8)   - MX record data

When these files have been received, the bot will first initialze a software routine which allows it to remove files critical for rivaling spam and rootkit applications. After this procedure is done, the trojan will then start sending out the spam message it has received from the control server.

Incidents
The Srizbi botnet has been the basis for several incidents which have received media coverage in the regular media. Several of the most notable ones will be described below here. This is by no means a complete list of incidents, but just a list of the major ones.

The "Ron Paul" incident
In October, 2007 several anti-spam firms noticed an unusual spam campaign emerging. Unlike the usual messages about counterfeit watches, stocks or penis enlargement the mail contained promotional information about United States presidential candidate Ron Paul. The Ron Paul camp dismissed the spam as being not related to the official presidental campaign. A spokesman told the press "If it is true, it could be done by a well-intentioned yet misguided supporter or someone with bad intentions trying to embarrass the campaign. Either way, this is independent work, and we have no connection.""

Later on the spam was analyzed as coming from the Srizbi network. Trough the capture of one of the control servers involved investigators learned that the spam message been send to up to 160 million e-mail addresses by as little as 3.000 bot computers. The spammer himself has only been identified by his internet handle "nenastnyj", which till this date has not led to unrevealing the identity of the spammer behind this spam wave.

Malicious spam tripling volumes in a week
In the week from June 20, 2008 Srizbi managed to triple the amount of malicious spam sent from an average 3% to 9.9%, largely via its own effort. This particular spam wave was an aggressive attempt to increase the size of the Srizbi botnet by sending emails to users which warned them that they had been videotaped naked. By sending this message, which is the kind of spam is referred to as "Stupid Theme", was an attempt to get people to click the malicious link included into the mail, before rationalizing that this message is most likely spam. While old, this Social Engineering technique has still been proved effective for the means of spammers.

The size of this operation shows that the power and monetary income from a botnet is highly based upon its spam capacity, which means that more infected computers directly translate to a larger revenue for the botnet owner. It also shows the power botnets have to increase their own size, mainly by using a part of their own strength in numbers.

Size
http://www.pcworld.com/businesscenter/article/145631/srizbi_botnet_sets_new_records_for_spam.html http://www.pcworld.ca/news/article/dd7bc2880a0104080164a05dc25445fe/pg0.htm

Structure and spreading
https://forums.symantec.com/syment/blog/article?message.uid=305311 http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9026323 http://www.symantec.com/security_response/writeup.jsp?docid=2007-062007-0946-99&tabid=2 http://www.nationalcybersecurity.com/blogs/778/-Srizbi-Botnet-Is-Largely-Responsible-for-Recent-Sharp-Increase-In-Spam.html http://news.softpedia.com/news/Meet-Srizbi-The-Largest-Botnet-Ever-82992.shtml http://www.marshal.com/trace/traceitem.asp?article=567 http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9026323

Spam Message Content
http://blog.protectwebform.com/p/45 http://www.marshal.com/trace/traceitem.asp?article=568&thesection=trace http://www.marshal.com/trace/traceitem.asp?article=595&thesection=trace

Countering
http://www.securecomputing.net.au/News/115170,one-of-the-biggest-threats-to-internet-users-today-srizbi.aspx

Events
http://www.allspammedup.com/2008/06/spam-volume-triples-in-a-week/ http://www.secureworks.com/research/threats/ronpaul/?threat=ronpaul

Scratchpad
Trojan horse is:
 * Polymorphic
 * Spread trough "MPack" and the "n404 web exploit kit" ( http://www.secureworks.com/research/threats/ronpaul/?threat=ronpaul )
 * Spread is achieved by using its own network to spam links to the trojans.
 * Spread is also archieved by attacking websites and then using those to spread the package.
 * Employing rootkit like technologies to hide itsself.
 * Capable of bypassing sniffers and firewalls trough driver attaching in kernel mode (Rather specialistic/special. How to explain this in understandable wording?)
 * Capable of hiding its files by patching the NTFS file system drivers
 * Fully kernel mode (Spam proces included)
 * Capable of removing other spam software (Market concurrents are removed)

Control is:
 * Based upon multiple hard coded servers
 * A component of the Reactor Mailer program (The bot does the mailing though)
 * Encrypted TCP/UDP data on port 4099

Botnet is:
 * Created around March 31, 2007 ( http://www.secureworks.com/research/threats/ronpaul/?threat=ronpaul )
 * Sold on a software as a service basis. ( Not monolithic)
 * Also known as Cbeplay or Exchanger

Files included
}}
 * 000_data2 (mail server domains)
 * 001_ncommall (list of names)
 * 002_senderna (list of possible sender names)
 * 003_sendersu (list of possible sender surnames)
 * config (main spam configuration file)
 * message (HTML message to spam)
 * mlist (recipients mail addresses)
 * mxdata (MX record data)