Malware Research

Basically, we don’t work at weekend, but Pusho/Cutwail/Webwail gang, they did.

After added 4 new cutwail servers. Today, they spread his old friend Sasfis again. Last time is 1st Sep 2010.

Pushdo/Cutwail Botnet is warming up to bounce back – III (Sasfis, Asprox, Cutwail, FakeAV, Hiloti)

Following is the screenshot from the cutwail spam template raw data.

This time, you could see that, they still tried to use the old UPS template. And, of course, there will be an attachment.

The inner file – Invoice_Document.exe is the Sasfis, but it still used the old domain name as the last time.

The interesting thing is(as of writing), the server doesn’t response anything. But, i believed, it could spread the same malicious binary as for the last time. You could check my sasfis tracker.

-Kyle

Today, I made a BIG video of the process that Webwail register new MSN account for its spam purpose.

Above is only one function of Webwail Botnet, its main purpose is send spam from those pre-registered MSN accounts. I’ll make another video on that.

Webwail Reg MSN Routine:

1. Retrieve pre-defined MSN user info from C&C server

2. Fill the register form

3. Change to Audio CAPTCHA

4. Send CAPTCHA to resolving server

5. Fill the CAPTCHA

6. Login the new registered MSN account to verify

7. Wait for next user info.

From my Pushdo/Cutwail/Webwail Botnet Tracker DB(I can’t give a precise number,simply because the number is increasing everyday)

1.  8K+ MSN accounts are used to send spam.

2.  20K+ pre-defined MSN user informations which will be used for register MSN accounts.

3.  200+ spam templates

I’ll give a presentation about Webwail Botnet in VB100 conference

The Webwail botnet: a reputation-based filter killer – http://www.virusbtn.com/conference/vb2010/abstracts/Yang.xml

-Kyle Yang

Pushdo/Cutwail gang added another 4 new Cutwail C&C servers today(till now).

Now, they had 20 Cutwail C&C servers alive.

-Kyle Yang

In my previous 2 blogs( I and II), Pushdo/Cutwail gang already added 10 Cutwail servers. You might be interested in what spam they are sending now.

Following(from my Pushdo/Cutwail Botnet Tracker)  is the spam template which cutwail bot retrieved from the new Cutwail C&C servers.

You may be too familiar with “DHL” spam. Of course, the template contains a zipped malicious file.

The inner file(Postal_Label_NR4147c.exe) is the Sasfis. Yet again, Cutwail spread Sasfis.

There are 4 interesting findings:

1. Asprox spam botnet is also spreading Sasfis now. But, 2 different version of Sasfis. More specific, the Sasfis C&C server domain name is different.

2. Sasfis main payload binary moved from exe to dll.

3. This verion Sasfis’s custom packer seems buggy. After it re-write the image code, it should trigger SEH to enter the load DLL(main function of Sasfis) routine. But it doesn’t.

4. Even above 3, 2 version of Sasfis will both download 3 different other malwares.

There are 2 main spreading records in my tracker(above).

23rd Aug – Asprox spam Botnet spreading Sasfis.

1st Sep – Cutwail spam Botnet spreading Sasfis.

There are 2 interesting findings:

1. up.exe is the Asprox binary. Sasfis spread the same Asprox binary.

2. Sasfis is trying to double(Cutwail & Asprox spam botnet) its power to spread 2 other malicious binaries(kapusta.exe and mario.exe)

Other 2 binaries info:

Mario.exe - FakeAV downloader

C&C server – s.statst.in

FakeAV host – dlhosts.in(setupbinarymodule710.exe)

kapusta.exe – Hiloti

it will download more than 1 malicious file.

-Kyle Yang