Microsoft has beefed up the Malicious Software Removal Tool (MSRT) that ships with its Windows operating system so that it will detect and root out the notorious Srizbi botnet code.
“This month’s MSRT takes on one of the largest botnets currently active worldwide,” wrote Microsoft spokesman Vincent Tiu in a blog posting Tuesday, the day the update to the software removal tool was released. “Win32/Srizbi has been accused of being responsible for a huge chunk of spam e-mail messages sent in the years after its discovery,” he added. “We hope to make a positive impact with the addition of Win32/Srizbi into MSRT.”
Because Microsoft’s detection software runs on hundreds of millions of computers worldwide, including many that are not running up-to-date antivirus software, a move like this can bring a botnet to its knees. That’s what happened in September 2007, when Microsoft added detection for the Storm Worm botnet. Within 24 hours it had removed about 91,000 Storm infections, and soon the botnet was a shadow of its former self, experts say.
However, the results may not be so dramatic this time around. Srizbi was effectively knocked out of action last November when operators of the McColo Internet service provider in San Jose, California, were kicked off the Internet.
That takedown knocked the Srizbi command-and-control servers out of operation, and only about 1 percent of the botnet is still active. There are, however, several hundred thousand Srizbi-infected PCs out there, all of which are quietly waiting for new instructions, should criminals ever discover a way to reach them now that McColo is out of commission.
Microsoft could have taken a bigger bite out of spam had it targeted another botnet called Xarvester, said Joe Stewart, a botnet researcher with security vendor SecureWorks.
Still he applauded Microsoft’s move to clean up the Srizbi-infected computers. “It’s good to get them cleaned up, but it’s not going to have the impact that it had on Storm.”