Srizbi: Nuked from Orbit

It’s hard to describe the feeling when you find out you helped halving global email spam. When I wrote the code to bypass the defenses on Srizbi I didn’t realize the impact it would have.

Several months prior, they lost their US based C2 when McColo kicked them out. They moved to hosting in Estonia. Being 2008, FireEye was a small company that figured out the DGA for the new C2, but had a very limited budget to stay in front of them.

Meanwhile, at M$, we were working to figure out how to remove this thing. It was doing rootkit things, but one of our researchers found a bypass. (❤ vtiu). I coded up the bypass and we were good to go to remediate this thing.

FireEye’s budget ran out a week or so before Patch Tuesday in February. The malware authors started trying to retake control. But we had MSRT detection ready. The ban-hammer was dropped on them in the next Windows Update.

Here is the net result: https://projects.csail.mit.edu/spamconf/SC2009/Henry_Stern/#the-killing-blow