Pitou, The “silent” resurrection of the PITOU notorious Srizbi kernel spambot

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

Pitou, The “silent” resurrection of the PITOU notorious Srizbi kernel spambot
Botnet Pitou, Srizbi, Turla
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2014 /
Editor/Conference F-Secure
Link http://www.f-secure.com/static/doc/labs global/Whitepapers/pitou whitepaper.pdf (Archive copy)
Type White paper


We began monitoring the development of a mysterious malware that first emerged in early April 2014 when we noticed some intriguing features in the threat’s technical aspects. Further analysis revealed a close link to an old threat known as Srizbi, which infected machines and used them to send out spam email messages (in other words, a spambot). The new threat has the same general purpose - to infect a machine, download the necessary data from a command and control (C&C) server to create spam email messages, and then send the spam out using the machine - but the methods it uses differ notably.

Due to extensive changes in the new malware’s code that made this latest distinctly separate from the older Srizbi variants, we named this new threat Pitou. In this whitepaper, we outline Pitou’s distribution methods, the kernel payload delivered by its droppers, how its bootkit functions and how it communicates with its C&C server.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2014BFR1412,
   editor = {F-Secure},
   author = {},
   title = {Pitou, The “silent” resurrection of the PITOU notorious Srizbi kernel spambot},
   date = {30},
   month = May,
   year = {2014},
   howpublished = {\url{http://www.f-secure.com/static/doc/labs_global/Whitepapers/pitou_whitepaper.pdf}},