Difference between revisions of "Pitou, The “silent” resurrection of the PITOU notorious Srizbi kernel spambot"

From Botnets.fr
Jump to navigation Jump to search
m (1 revision imported)
m (Text replacement - " www.f-secure.com" to "")
 
(One intermediate revision by the same user not shown)
Line 6: Line 6:
|Type=White paper
|Type=White paper
|Video=
|Video=
|Link=http://www.f-secure.com/static/doc/labs_global/Whitepapers/pitou_whitepaper.pdf www.f-secure.com
|Link=http://www.f-secure.com/static/doc/labs_global/Whitepapers/pitou_whitepaper.pdf
|Author=,  
|Author=,  
|NomRevue=
|NomRevue=
Line 18: Line 18:
|OffensiveTool=
|OffensiveTool=
|ExploitKit=,  
|ExploitKit=,  
|Campaign1=
|Campaign=
|Campaign2=
|Campaign2=
|Campaign3=
|Campaign3=

Latest revision as of 21:51, 5 August 2015

(Publication) Google search: [1]

Pitou, The “silent” resurrection of the PITOU notorious Srizbi kernel spambot
Botnet Pitou, Srizbi, Turla
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2014 /
Editor/Conference F-Secure
Link http://www.f-secure.com/static/doc/labs global/Whitepapers/pitou whitepaper.pdf (Archive copy)
Author
Type White paper

Abstract

We began monitoring the development of a mysterious malware that first emerged in early April 2014 when we noticed some intriguing features in the threat’s technical aspects. Further analysis revealed a close link to an old threat known as Srizbi, which infected machines and used them to send out spam email messages (in other words, a spambot). The new threat has the same general purpose - to infect a machine, download the necessary data from a command and control (C&C) server to create spam email messages, and then send the spam out using the machine - but the methods it uses differ notably.

Due to extensive changes in the new malware’s code that made this latest distinctly separate from the older Srizbi variants, we named this new threat Pitou. In this whitepaper, we outline Pitou’s distribution methods, the kernel payload delivered by its droppers, how its bootkit functions and how it communicates with its C&C server.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2014BFR1412,
   editor = {F-Secure},
   author = {},
   title = {Pitou, The “silent” resurrection of the PITOU notorious Srizbi kernel spambot},
   date = {28},
   month = Mar,
   year = {2014},
   howpublished = {\url{http://www.f-secure.com/static/doc/labs_global/Whitepapers/pitou_whitepaper.pdf}},
 }