Pitou, The “silent” resurrection of the PITOU notorious Srizbi kernel spambot
(Publication) Google search: [1]
Pitou, The “silent” resurrection of the PITOU notorious Srizbi kernel spambot | |
---|---|
Botnet | Pitou, Srizbi, Turla |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2014 / |
Editor/Conference | F-Secure |
Link | http://www.f-secure.com/static/doc/labs global/Whitepapers/pitou whitepaper.pdf (Archive copy) |
Author | |
Type | White paper |
Abstract
“ We began monitoring the development of a mysterious malware that first emerged in early April 2014 when we noticed some intriguing features in the threat’s technical aspects. Further analysis revealed a close link to an old threat known as Srizbi, which infected machines and used them to send out spam email messages (in other words, a spambot). The new threat has the same general purpose - to infect a machine, download the necessary data from a command and control (C&C) server to create spam email messages, and then send the spam out using the machine - but the methods it uses differ notably.
Due to extensive changes in the new malware’s code that made this latest distinctly separate from the older Srizbi variants, we named this new threat Pitou. In this whitepaper, we outline Pitou’s distribution methods, the kernel payload delivered by its droppers, how its bootkit functions and how it communicates with its C&C server.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2014BFR1412, editor = {F-Secure}, author = {}, title = {Pitou, The “silent” resurrection of the PITOU notorious Srizbi kernel spambot}, date = {14}, month = Oct, year = {2014}, howpublished = {\url{http://www.f-secure.com/static/doc/labs_global/Whitepapers/pitou_whitepaper.pdf}}, }