Tuesday 3 July 2007

Greetings Card Trojan Spam gets Timely Subject Morph

Looking at my spamtraps this evening, I see our "fake online greetings card" chums have switched from their previous boring subject lines to new ones, commemorating U.S. Independence Day.

The new subjects include:
4th Of July Celebration
America the Beautiful
America's 231st Birthday
Americas B-Day
Celebrate Your Independence
Dump tea in the harbor
Fourth of July Party
God Bless America
Happy 4th of July
Happy Birthday America
Happy Fourth of July
Independence Day At The Park
Independence Day Party
July 4th B-B-Q Party
July 4th Family Day
July 4th Fireworks Show
Your Nations Birthday [sic]
Update: my chums at Symantec calculate that they blocked 5.5 million of these during just five hours on July 3.

(In case you've been living under a rock, these messages include a link that tries to infect the victim with a Trojan.)

Srizbi Spam Bot is Nastier than we Thought

According to Symantec's Kaoru Hayashi, last month's Srizbi Trojan is nastier than it at first appeared. It could be a peek at things to come in the world of spam-sending bots.

Naturally, as a malware geek, Hayashi doesn't call it "nasty" -- he says "really interesting":
Trojan.Srizbi is really interesting for some unique features. Trojan.Srizbi driver (windbg48.sys) has two main functions: hides itself using a Rootkit and sends spam, but the thing that makes it really unique is the fact that its probably the first full-kernel malware spotted in the wild.

Once the Trojan is installed, it works without any user mode payload and does everything from kernel-mode, including sending spam ... The most interesting code is contained in the spam routine. We know that using network functionalities directly from kernel-mode is much more complicated and we have seen many rootkit threats in the past - for example, Haxdoor, Rustock, and Peacomm - always carrying over a user-mode payload that gets injected into some Windows processes. Trojan.Srizbi seems to move a step forward by working totally in kernel-mode without the need to inject anything into user-mode.
We think this sample is still in a “beta” stage and it’s not finished yet.
The implication being that, if a future version of Srizbi fixes the problems that currently make it visible, detection gets a lot harder. Needless to say, that may well cause more spam to get sent before an infection could be detected and remediated.

I especially liked this bit:
[It] seems to include a special routine to uninstall competitor rootkits, such as “wincom32.sys” and “ntio256.sys”.