Tuesday, 3 July 2007

Srizbi Spam Bot is Nastier than we Thought

According to Symantec's Kaoru Hayashi, last month's Srizbi Trojan is nastier than it at first appeared. It could be a peek at things to come in the world of spam-sending bots.

Naturally, as a malware geek, Hayashi doesn't call it "nasty" -- he says "really interesting":
Trojan.Srizbi is really interesting for some unique features. Trojan.Srizbi driver (windbg48.sys) has two main functions: hides itself using a Rootkit and sends spam, but the thing that makes it really unique is the fact that its probably the first full-kernel malware spotted in the wild.

Once the Trojan is installed, it works without any user mode payload and does everything from kernel-mode, including sending spam ... The most interesting code is contained in the spam routine. We know that using network functionalities directly from kernel-mode is much more complicated and we have seen many rootkit threats in the past - for example, Haxdoor, Rustock, and Peacomm - always carrying over a user-mode payload that gets injected into some Windows processes. Trojan.Srizbi seems to move a step forward by working totally in kernel-mode without the need to inject anything into user-mode.
...
We think this sample is still in a “beta” stage and it’s not finished yet.
The implication being that, if a future version of Srizbi fixes the problems that currently make it visible, detection gets a lot harder. Needless to say, that may well cause more spam to get sent before an infection could be detected and remediated.

I especially liked this bit:
[It] seems to include a special routine to uninstall competitor rootkits, such as “wincom32.sys” and “ntio256.sys”.
Classy.

No comments:

Post a comment