FireEye

Disconnecting from the Srizbi Botnet

FireEye Research has recently uncovered massive Srizbi botnet activity in the course of our investigations to help eliminate Internet threats such as Web-based malware sites and botnet command & control (C&C) servers. At FireEye, we responsibly disclose material events to botnet victims that we have uncovered in the normal course of our Internet security analysis and research. For questions or concerns, email

Sorry, but a Javascript-enabled browser is required to email me.

or call 408-321-6300.

Our research into botnet activities on McColo-hosted servers helped establish an abuse case for Global Crossing and Hurricane Electric to disconnect McColo's Internet access.

Our data shows over 450,000 Srizbi-infected IP addresses that have attempted to connect to now defunct Srizbi C&C servers hosted by McColo. It is imperative to prevent Srizbi bots from re-connecting to an operational C&C server and going back underground.

The recommendations below are designed for IT professionals with the technical depth to clean Srizbi-infected computers. FireEye cannot guarantee success due to the complexity and maliciousness of the bot malware/rootkit. Furthermore, FireEye cannot be held responsible for damages resulting from these recommendations. We offer these only as advice based on our current research into this rapidly mutating and aggressive malware threat.

NOTE: Backup all user data first in case cleanup fails.

Events leading up to Srizbi bot captures

A DarkReading article, "Hosting King Of Spam And Botnets Shut Down, For Now" provides some background details.

An in-depth Washington Post article, "Host of Internet Spam Groups Is Cut Off" offers insight into the McColo shutdown.

Bot-infected computers (bots) can be remotely controlled by criminal 3rd parties and may not display obvious signs of infection. Bots transfer stolen intellectual property, user credentials, and other personal identity information to unauthorized 3rd parties. Bot computers are also used as part of email attacks containing links to Web-based malicious software, phishing scams and other illicit files.

Identifying Srizbi-infected PCs

One of the more straightforward methods to determine a Srizbi infection is to check proxy and/or firewall logs. You can pinpoint specific computer(s) that are Srizbi-infected by checking for any computers that have made outbound HTTP connection requests from your network to our Srizbi monitoring IP addresses 75.127.68.122 or 64.22.92.154 since November 12, 2008.

How FireEye uncovered Srizbi victims

Due to the fact McColo-hosted C&C servers are not responding to requests, Srizbi bots began cycling through its list of C&C domain names. FireEye's virtual victim machine analysis alerted our research team to this series of events as well as began to catalog the previously unknown, unregistered Srizbi C&C domain names. In our research, Srizbi C&C domains now serve as an Internet "dead end" where infected Srizbi computer IP addresses are simply logged and all other packets dropped. FireEye does not store any information from, send any commands to, or have any communication whatsoever with infected Srizbi hosts, other than to record the date of comunication and external IP addresses of Srizbi hosts as in any standard Web server log.

Recommendations

Srizbi installs a rootkit that hides its changes to system files and registries. Therefore, cleaning it off your system is not a straightforward process. In environments where periodic system snapshots are taken, it will be easier to perform a system restore from a known clean snapshot.

For the environments where clean restoration is not possible, we have compiled 3rd party Web sites that provide self-serve steps as well as removal tools.

NOTE: Before reverting to a prior snapshot, backup all user data in case cleanup fails.

Further details forthcoming. In the meantime, we offer:

3rd party self-serve removal steps & tools

These are 3rd party steps for how to remove Srizbi bot malware manually: (Though FireEye cannot make any guarantees, we have reviewed the steps below to confirm they do remove the Srizbi variants in our research lab.)

• Symantec: http://www.symantec.com/security_response/writeup.jsp?docid=2007-062007-0946-99&tabid=3
• PC1 News: http://www.pc1news.com/news/0236/srizbi-bot-how-to-remove-it-from-your-pc.html

These are some tools and instructions that have been used successfully in removing Srizbi infections:

• SDFIx (free): http://forums.majorgeeks.com/showthread.php?p=869653
• SmitFraudFix (free): http://www.afterdawn.com/software/desktop_software/desktop_security/smitfraudfix.cfm
• UnHackMe (commercial, rootkit removal): http://www.greatis.com/unhackme/