Fake E-greeting Cards Being Sent From Srizbi Botnet

TRACE (Threat Research and Content Engineering) group at Marshal Security has reported that over 80% of spam comes from four botnets or the "Big Four" as they are sometimes called: Srizbi, Rustock, Pushdo and Mega-D. Each of them has their distinct and unique features. However, this article will concentrate on the Srizbi botnet that currently is one of the leading botnets worldwide.

The Srizbi botnet is responsible for spreading more than half of all the spam being sent by all the major botnets combined. It has been estimated that the size of the Srizbi botnet should be approximately 315,000 compromised machines. Researchers have also noted that this botnet can send around 100 billion spam messages every day.

The first reports about the real outbreak of the Srizbi botnet emerged in June 2007. But various reports also revealed that the first released version of the Srizbi botnet had been assembled on 31st March, 2007. Ever since then it has been growing at an extremely rapid pace and, unfortunately, there are no signs at the present moment of decline in the number of bots involved in Srizbi.

The latest spam campaign where Srizbi botnet is involved is sending fake greeting cards. Some of them contain links to the file which is named e-card.exe. This file is hosted on a compromised website. Other spam messages in this campaign contain links that lead to a Canadian Pharmacy website.

As soon as the user runs the e-card.exe file, it will install the rogue anti-virus program, called XP AntiVirus 2008, and the Srizbi bot. This bot will now continuously send thousands of spam messages in the background.

These fake e-greeting cards belong just to one out of many malicious email campaigns that are being sent from the Srizbi botnet. Other Srizbi spam campaigns include emails that offer celebrity themed videos, photos or mp3s for download. Spam such as the one below has been around for a few months now.

In case users click on the provided link, they will be immediately navigated to the fake YouTube website (see the image below). And if users are tricked by the website and start downloading the video, the file videporn920ma.exe will actually be downloaded. When run, this file will install other malicious programs.