After months of silence, yesterday we finally found some Srizbi activity in one of our customer's networks. As Alex wrote in his last post, the newly discovered Srizbi CnC is 92.62.100.97. This IP belongs to Starline Web Services, hosted in Estonia. Apart of seeing Srizbi coming live again, there were two more things which caught my attention immediately.
First, a few days back I saw a Cutwail sample connecting to the same CnC on port 2097 to download SPAM templates. The Pushdo / Srizbi connection is already known and well documented, but sharing the same server also shows a lack of resources on the part of the Bot herders.
The second thing was even more shocking. While going through all the events sequentially I found that Srizbi infected hosts also generated 'Xarvester' like CnC communication. The time difference between both of the outbound communications was just a few minutes. The first thing which came to my mind was, is Sirzbi trying to update its zombies with a new undetectable botnet? There are two facts which seem to favor this theory.
1. Researchers have already found a connection and various similarities between 'Srizbi' and 'Xarvester'.
2. Microsoft's recent release of the MSRT with the addition of Srizbi removal support.
Here are the details of these two events.
Srizbi Outbound
Time:
02/11-12:17:15.260254
Source
xx0.2x7.24x.103:48021
Destination
92.62.100.97:80
Xarvester Outbound
Time:
02/11-12:32:03.534733
Source
xx0.2x7.24x.103:4994
Destination
x4.76.21x.202:9011
In order to see the MSRT detection capabilities against the new 'Xarvester' bot I tried to clean a VM infected with 'Xarvester' with the latest MSRT. Results were as I expected - see the screen shot below.
In my next post I will further explain how I managed to get an older Srizbi sample redirecting to new CnC (92.62.100.97) in order to get updated. I'll explain the initial SPAM sent by my Srizbi sample, and how FireEye coordinated efforts with 'Compic' (the upstream service provider for Starline Web Services) last night to pull the plug for this server and stop Srizbi zombies worldwide from getting updates. I'll also talk about the huge number of zombies we found connecting to this CnC in the period of a few hours.
Atif Mushtaq @ FireEye Malware Intelligence Lab
Question/Comments : research SHIFT-2 fireeye DOT COM
