In the past few weeks, we have observed many Web sites that have been compromised to distribute browser exploits with the MPackkit. We’ve tracked many different MPack sources created with the intentof distributing different types of malicious codes. So far we’ve seenthe following malware samples installed while surfing sites compromisedby Mpack:
Trojan.Anserin - a Trojan that steals banking-related information
Trojan.Linkoptimizer.B - a dialer Trojan
Backdoor.IRC.Bot - an IRC bot
Infostealer.Ldpinch – a Trojan that steals account and password information
Trojan.Srizbi – a spam Trojan
These Trojans are already in our malware database but a malware that we discovered recently, Trojan.Srizbiis really interesting for some unique features. Trojan.Srizbi driver(windbg48.sys) has two main functions: hides itself using a Rootkit andsends spam, but the thing that makes it really unique is the fact thatits probably the first full-kernel malware spotted in the wild.
Once the Trojan is installed, it works without any user mode payloadand does everything from kernel-mode, including sending spam. TheRootkit code is not new: the malicious driver attaches itself to\FileSystem\Ntfs to hide files on the local disk and also patches anSDT table to hide registry keys in the same manner other older rootkitsdid before. Also, the Trojan attempts to delete %System%\Minidump logfiles and seems to include a special routine to uninstall competitorrootkits, such as “wincom32.sys” and “ntio256.sys”.
The most interesting code is contained in the spam routine. We knowthat using network functionalities directly from kernel-mode is muchmore complicated and we have seen many rootkit threats in the past -for example, Haxdoor, Rustock, and Peacomm - always carrying over auser-mode payload that gets injected into some Windows processes. Trojan.Srizbiseems to move a step forward by working totally in kernel-mode withoutthe need to inject anything into user-mode. To manipulate the networkconnection directly in Kernel mode, it attaches NDIS and TCP/IP driversand gets all the Ndis* and Zw* functions that it needs, which is uniqueto this threat. This technique also allows the Trojan to bypassfirewall and sniffer tools, and to hide all its network activities.
We’ve seen the Trojan downloading a zip file from the srihopa.bizdomain, which contains the following configuration files for spam:
000_data2 (mail server domains)
001_ncommall (list of names)
002_senderna (list of possible sender names)
003_sendersu (list of possible sender surnames)
config (main spam configuration file)
message (HTML message to spam)
mlist (recipients mail addresses)
mxdata (MX record data)
We think this sample is still in a “beta” stage and it’s notfinished yet but users can still find some evidence of the infection bysearching for the following registry entry (not hidden):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RcpApi\"MachineNum"= "[SIX RANDOM DIGITS-SIX RANDOM DIGITS-TWO RANDOM DIGITS]"
We guess that the author of Trojan.Srizbi could be the same as Rustock's because the polymorphic code used in Trojan.Srizbi is very similar to the Backdoor.Rustock.B packer, but more advanced.
As my colleague Elia mentioned previously, we'll undoubtedly see new versions of this malware again.