14 DAY TRIAL // With the February release of security patches Microsoft is attempting to kill what it is referring to as one of the largest botnets currently active worldwide, zombie machines infected with Win32/Srizbi. According to Vincent Tiu, SDE II at Microsoft, the Srizbi family of malicious code contains not only trojan droppers but also rootkits, which work in tandem in order to compromise vulnerable machines and to make them part of botnets used with predilection to spread spam. As of February 10, 2009, the Microsoft Windows Malicious Software Removal Tool is capable of detecting and cleaning computers compromised by the Srizbi family of malware.
“Much like its alleged close cousin Win32/Rustock (which is removed by the MSRT since Oct 2008), the Srizbi family of malware was developed mainly for the purpose of spam-for-hire operations. The Srizbi malware authors offer the botnet as an efficient method of sending spam e-mails for any organization who would stoop low enough to utilize this mechanism for advertising their intent,” Tiu stated.
The latest release of the Windows Malicious Software Removal Tool is able to tackle both TrojanDropper:Win32/Srizbi as well as the Spammer:WinNT/Srizbi, a kernel-mode rootkit component. In order to camouflage its presence and prevent any disinfection from security solutions, Spammer:WinNT/Srizbi manages to hook low-level operating system APIs, in order to secure its components and registry from removal. At the same time, the malware is capable of bypassing firewalls because of TCP/IP driver hooks.
“Upon activation of the rootkit, the infected computer then effectively becomes part of the Srizbi botnet as one of its bots. As a Srizbi bot, the main objective is to receive information regarding its spamming duties and perform the e-mailing task assigned to it. It accomplishes this by connecting to a hardcoded list of servers containing information such as: spam e-mail message; list of e-mail addresses; list of fake sender names; list of mail servers to use. Historically, Win32/Srizbi has been accused of being responsible for a huge chunk of spam e-mail messages sent in the years after its discovery,” Tiu said.
Microsoft Windows Malicious Software Removal Tool is available for download here.