display | more...

60 billion spam messages a day, over 1/2 of spam emails world-wide, are allegedly sent through a Srizbi botnet. Botnets are software robots that run autonomously and automatically, often used for malicious software, and in our case a Srizbi bot - used for massive spam email campaigns.

Also known as: Cbeplay and Exchange.
Origin: The earliest reports on Srizbi trojan outbreaks were around June 2007
Why is it scary?: It infects computers to send spam email on behalf of the bot owner.

Spam King
"Srizbi now sends more spam than all other botnets combined, according to new research from Marshal’s TRACE team. In comparison, Storm is producing only about 20 percent of all spam." (darkreading) But just how many bots are sending 60 billion spam messages a day? Surprisingly, only 300,000. "Srizbi typically attempts to spread itself through spam campaigns, often using celebrity ‘news’ as lures,” Myers says. Marshal has counted around 300,000 bots in Srizbi; SecureWorks has Srizbi at about 310,000 bots as of last month." (Darkreading)

Half the world's spam was stopped, for two weeks:
Two weeks ago an infected network of computers were shutdown, McColo, a rogue ISP (Internet Service Provider) based in San Jose, California. McColo served as host to a number of "command and control" centres for botnets. These infected botnets send spam and engage in other malicious activities. (BBC) When this network was shutdown, the world's email spam cut in half over night. Unfortunately, even today, experts say email spam is up to 2/3 of its previous level two weeks ago, and give it less than a month before it's back to full levels.

Process
"Once the bot is in place and operational, it will contact one of the hardcoded servers from a list it carries with it. This server will then supply the bot with a zip file containing a number of files required by the bot to start its spamming business. The following files have been identified to be downloaded:

  1. 000_data2 - mail server domains
  2. 001_ncommall - list of names)
  3. 002_senderna - list of possible sender names
  4. 003_sendersu - list of possible sender surnames
  5. config - Main spam configuration file
  6. message - HTML message to spam
  7. mlist - Recipients mail addresses
  8. mxdata - MX record data

When these files have been received, the bot will first initialize a software routine which allows it to remove files critical for revealing spam and rootkit applications. After this procedure is done, the trojan will then start sending out the spam message it has received from the control server." (Wikipedia)


Sources:
http://www.darkreading.com/security/encryption/showArticle.jhtml?articleID=211201479
http://news.bbc.co.uk/2/hi/technology/7749835.stm
http://en.wikipedia.org/wiki/Srizbi_botnet

Log in or register to write something here or to contact authors.