Farewell To Pushdo/Cutwail/Webwail Botnet – II (Denis and Joker)
In my last blog,
Farewell To Pushdo/Cutwail/Webwail Botnet – I (Relationship with other malware gangs)
I revealed the relationship between Pushdo gang and other malware gangs. Feel Interesting?
Since I didn’t finish my demo in the VB100 2010 presentation. In this blog, I’ll try to point out some key features of Pushdo/Cutwail/Webwail Fuzzing Tracker.
Tracker Development:
I started to wrote this botnet tracer after my presentation on BlackHat 2010. There 3 main purpose of this tracker.
1. Monitor its update history.
2. Share the information to all the researchers.
3. One day, I’ll co-operate with other malware researchers or companies to take down this botnet totally.
For point 3, I was on the way after my vb100 presentation. I’m quite sure you guys already felt it. :)
Key Features:
1. Latest Pushdo Modules
Pushdo, is a advanced downloader which could download many different modules.
For now, there are 11 different modules.
If there is an update of Pushdo’s module or a totally new module, it will show them in this section.
2. Latest Module Parameters
Cutwail or Webwail, are command line tool. They all have switches. They couldn’t run properly without proper parameters.
So, every time when Pushdo download either Cutwail or Webwail, it will also download corresponding parameters for Cutwail and Webwail.
Simply put, those parameters are the C&C server IP & Port for Cutwail and Webwail.
If there is a new parameters, it will show them in this section.
3. Latest Webwail Scripts
Webwail, a script engine driven, has the ability to register mail account and send spam from the web.
Webwail will download many different scripts when registering mail account or sending spam.
If there is new scripts, it will show them in this section.
4. Pushdo C&C Server Info
It will show you the Pushdo C&C server IP & Port. You could check what modules/parameters had been downloaded from this C&C server.
In the modules sub-page, you will find the module name which is given by the pushdo author(s), just like a nick name.
In the parameter sub-page, you will find the parameters detail info, including IP&Port and nick name for the server.
5. Cutwail C&C Server Info
It will show you the Cutwail(Spam engine) C&C server IP & Port.
In the detail info page, you will find different responses from the server. Like, Spam Template, Configuration and Email List.
6. Webwail C&C Server Info
It will show you the Webwail(web spam)C&C server IP & Port.
In the detail info page, you will find different kind of scripts for webwail. If you check those scripts carefully, you’ll find “Denis” , “Joker” and some Russian comments. :)
7. Pushdo Module Update Info
Basically, it will show you how many times the module get updated.
8. Vendor Module Update History
Vendor ID, a key value which is hard-coded in the Pushdo binary. The bot will received different modules and send different spam email based on different vendor value.
There are 23 different vendor ID, from 0×01 to 0×17.
You could find some distinct modules only existed in one vendor.
Yeah, that’s all I think. This tracker contains my almost 1 year researching results. Please use it wisely. I hope you could get benefit from it. http://re-malware.com/kyle/
Just like my blog tag-line said, “Without mysteries, it can not survive“.
-Kyle Yang