Srizbi and Rustock: Family Feud or Sibling Rivalry? Part II

FireEye recently dove into the world of spam email Botnets to further strengthen our belief that Botnets like Srizbi, Pushdo, and Rustock, although having completely different C&C architectures, are operated by same group.

This go around, we looked at the servers that control these Botnets and spam created from live Bots in our lab. As part of this investigation, we analyzed multiple malware samples of these Botnets in our both virtual and real lab environments to extract the relevant C&C locations. When we compared the C&C IPs being used by these three Botnets, we were surprised to see that all three were using servers in the same colocation facility, and that this facility was fairly well known (by a quick Google search) to have been used for malicious activities in the past.

These are some of the CnC IPs when arranged in side by side:

Ips_4

We can clearly see that Srizibi, Pushdo and Rustock are using same ISP, and in many cases, IPs on the same subnet to host their Command and Control servers. It seems extremely unlikely to our research team that three previously "rival" Botnets would share nearly consecutive IP space, and be hosted in the same physical facility. Of all the data centers and IPs in the world, the fact that they are all on the same subnet is very intriguing. This fact makes the FireEye research team conclude that either the Botnets are operated by the same organization, or that the datacenter (McColo) is a shell corporation that leases out it's IP space and bandwidth for nefarious actions.

To further show the link amongst these CnC ranges we have sorted some of these IPs in the ascending order.

Here are the results.

Ips1_2

IPs at a typical datacenter are leased out in a /30 or more commonly, a /29 block. However, here we can see that in a given succession of IPs, the three Botnets have C&C servers dispersed throughout. This gives us an impression that same Bot herder leased out a larger range and then distributed it amongst its different Botnets.

As a side note, there appears to be some confusion amongst researchers about understanding the relationship between Trojan.Exchanger and the resulting downloaded binaries like Rustock and Srizbi, as described in a earlier posting - http://www.fireeye.com/blog/technical/botnet-activities-research/2008/08/srizbi-and-rust.html

We hope we can clear up any misunderstanding by stating that the Exchanger service itself is not capable of sending spam or doing any sort of "spreading" behavior. It is simply the method by which the next stage of binaries for spam Botnets like Rustock are downloaded. Exchanger is what facilitates the download of other secondary Botnet components.

A typical spam exploit path happens like this:

1. Rustock sends spam to fool a user to download a fake video plug-in

2. This fake video codec is really Trojan.Exchanger

3. This Trojan.Exchanger further downloads Srizbi or other secondary malware downloads to the now infected system

This means that it is actually Rustock which is facilitating the spreading of Srizbi, not the Exchanger service itself. This shows that a common service is being used by different Botnets to spread what were previously thought of as "rival" Botnets. Again, it is not Exchanger which is sending the infecting spam emails, it is Rustock, Srizbi, or Pushdo.

We'd like to speculate on the intention behind keeping one generic downloader service. This common service has a C&C channel which can force the download of different secondary binaries on an "on demand" basis - very much like Storm. This is one more way that Bot herders have the ability to add to or replace current binaries on the system. For instance, this was useful for the Bot herder on our system to be able to download a Rogue AV client to the zombie PC without risking corrupting the initial Bot installation.

Here are traffic snippets generated by some of the samples in our Lab.

Page

Above is the network traffic generated by these malware samples:

6CF0E9C085A3A35FE06827EBA50930BD Rustock

9E1FEC071E5465D01B6C969F2326BE92 Pushdo

C6C14C466B681DBF424C7D187C101B50 Srizbi

In the past 24 hours, the theme of the spam emails have moved away from CNN and MSNBC. The new spam templates are offering links to nude celebrities like Angelina Jolie

Some of the interesting subjects are as follows:

Angelina jolie newly emerged sex tape

Angelina jolie new naked clip

Angelina jolie and Brad Pitt sex tape

Angelina jolie Lips Explode

Britney Spears will play a mutant in a new movie

Britney Spears and Lindsay Lohan comment on Paris Hilton's Childish Behavior

Britney Spears Nude & Topless Photos Bare All

Britney Spears is dating Obama

New astonishing Britney's photos. She must have gone really crasy.

We all know that this style of email was used by Pushdo or Celebrity, but now Rustock seems to have taken it over.

Embedded links inside these emails try to get the user to download and install binaries like watchit.exe, vid.exe, and mov.exe. This time, instead of presenting the user a fake flash player, it's giving users a direct link to download these binaries.

These binaries are hosted domains like:

hxxp://www.beagleadvice.org.uk/watchit.exe

hxxp://www.bodegasadan.com/vid.exe

hxxp://always-thinking.com/mov.exe

These types of social engineering attacks are far more sophisticated to those we have seen with Storm, the perennial powerhouse. With no end in sight, we can only urge users not to click on any link that is offering a "breaking news" or the promise of a nude celebrity.

Atif Mushtaq @ FireEye Malware Intelligence Labs