What is Pitou? A recently spotted spambot malware that shares many similarities from the notorious kernel-mode spambot Srizbi. After further analysis, we confirmed it is a revival of Srizbi. We named this latest malware Pitou. After some in-depth analysis, we found some other interesting technical features and wrote a whitepaper on it.
Why it is called Pitou? The name Pitou came from our colleague's existing detection name for it. We decided to use this family name to avoid confusion. Another reason why we think this spambot deserves a new name (rather than continuing with the Srizbi moniker, that is) is because the malware code has been completely rewritten with more robust features, including now being equipped with a bootkit.
Where was it first discovered? We first encountered the threat on a client machine that reported a suspicious system driver file to our automated analytical systems. After some manual analysis, we found it to be malicious and containing a payload that is highly obfuscated and protected by Virtual Machine (VM) code. This implied that there was something the malware was trying to hide from researchers. So naturally we decided to do an in-depth analysis.
When was it first seen? The threat was first found in April 2014 based on the dates from our sample collection systems, though it may have existed in the wild at an earlier date. The whitepaper includes more timeline information.
Who should be concerned by this threat? This threat could cause havoc or bring inconvenience to both corporate and home users. The spambot will utilize an infected machine to spread spam emails, which can lead to the spamming IP address being blacklisted in Realtime Black List (RBL) by an Internet Service Provider (ISP). A blacklisted IP address is blocked from sending (even legitimate) email via standard Simple Mail Transfer Protocol (SMTP), which is commonly configured in most corporate email servers. A regular home users meanwhile would be concerned if they use a non-Web based email client, for example Microsoft Outlook, that ends up having its IP address blacklisted by an ISP.
What are some of Pitou's indicators of compromise (IOC)? The threat is not particularly stealthy compared to other modern rootkits. We list a couple of IOCs in our document for someone (reasonably technically astute) who is interested in quickly identifying if their machine is Pitou-infected.