Malware Research

Since I wrote too many things about Pushdo/Cutwail/Webwail, this time i don’t want to actually write something. I believed some pics are better.

-Kyle Yang

In this blog, I’ll give a brief history of Pushdo/Cutwail/Webwail evolution and reveal its relationship with other malware gangs.

Jan 2007 – 1st generation Pushdo, use http get command and has static parameters in the get command.

Dec 2007 – 2nd generation Pushdo [Codename: Siberia2]. The author remove the static parameters from the get command. And, it will be downloaded by the 1st generation Bredolab which also used http get command.

Oct 2009 - 3rd generation Pushdo [Codename: Revolution6]. Communication protocol and encryption algorithm are totally different with before. At that time, Pushdo will download Cutwail module, trying to spread Fakeav and Pushdo itself.

Nov 2009 - They started to test Webwail module in some of its sub-botnets. It spread with the help of 2nd generation Bredolab. This new Bredolab abandoned http get too, turned to custom communication protocol and its communication encryption algorithm is XOR and MD5.

Jan 2010 – Another malware called GoolBot seeding with the help of cutwail. It will download many other malwares, like, Zbot, Fakeav and the 2nd gen Pushdo,  but it is not the orginal one, this one encrypted the http get command again by using RC4 algorithm. And, this one will communicate with c&c server through port 443 and generate lots of junk ssl traffic to 250 legitimate websites. The purpose of doing this is obvious, try to hide the real commands among the decoys.

Jan 2010 – Pushdo gang tried to re-use ImraBot module, this module was first seen in Jan 2009. I considered it as the prototype of the webwail.  It almost has the same fucntion of webwail. But the communication protocol is quiet different, it use http get, same as the 2nd gen pushdo, so this module should belong to the 2nd generation Pushdo. The parameters are bot_id and mode. The server reponse scripts are base64 encoded. While 2nd generation Bredolab spreading 3rd generation Pushdo, the Webwail’s function is only register msn and yahoo accounts.

Feb 2010 – Sasfis Spreads 3rd generation Pushdo. It take the Bredolab’s place, help Pushdo gang seeding. Webwail’s function is register MSN account and sending spam(Audio CAPTCHA Resolving).  And, Sasfis usually download the TDSS, Zbot, Hiloti,CMultiLoader. CMultiLoader is a downloader, using http get command. The data is base64 encoded.  Why I called it CMultiLoader, because this version has the debug print function and will send the debug info back to the server. In the log, every important operation started with CMultiLoader Or CSpreadingManager.

Feb 2010 - 3rd gen Pushdo release a new module called google_bot.  After reversing it binary, it turns out to be the GoolKit, version 1.2. It is script engine driven and has 3 main functions.

1. It has the ability to add malicious iframe to the webpages which ftp credentials have been stolen before. The modified web page contains the Goolkit tag.

2. it has the ability to launch DDOS attack to the websites.

3. It could send spam emails with the compromised website link .

Apr 2010 – Cutwail Spread the Modified 2nd Generation Pushdo. There is no major changing in this time, just change the 250 legitimate websites to 79. Most of the websites are from brazil,Ukrain and japan.

May 2010 – Pushdo gang release the new pushdo binary with the project name magadan. So, from Siberia, a region name to city name Magadan, are they telling us where they are?

Jun 2010 – Pushdo gang released 3 new modules, called botloader, google_ddos and restyle_bot and re-use the old module mailsniffer.

botloader = SpyEye downloader

google_ddosas = single target ddos module.  It launch ddos attack to an inventment website.

restyle_bot = ftp pwd stealer

Jun 2010 – Pushdo gang released another module called new_loader, but the function is same as the botloader, which is download SpyEye.

Jul 2010 - Pushdo gang released another 2 new module, called soldier and antispyware.

Soldier = SpyEye. And it will download the sock plugin.

antispyware =CMultiLoader which already removed the debug print function.

Aug 2010 – Zbot tried to download 3rd generation Pushdo throught SSL connection, then pushdo will download Cutwail to help Zbot seeding.  The sub-botnet id for that is 0×17.

Sep 2010 – While the Cutwail is injury, Sasfis made another friend – Asprox which is a spam botnet. But its communication encryption algorithm and resource decryption algorithm is still xor 1b which is too weak.

The above events should be in my blogs,check them for details.

I have been doing Pushdo/Cutwail/Webwail Botnet researching for almost 1 year. It’s time to say goodbye.

-Kyle Yang

Pushdo just released a new module, named “restyle_bot”.

Analysis will be followed. :P

Thanks to the Pushdo Botnet Tracker, I could intercept the latest Pushdo modules.

The module name is “google_ddos”.The working module was being downloaded by Pushdo from 2010-06-23 14:55:13. And it had 2 updates in only 1.5 hours. It could launch a ddos attack to the website, in this case, it is hyipinvestment.com.

Now(2010-06-23 17:24:32), the web site is down. I tried to contact the site admin to report this attack, but i couldn’t find any email address. too bad. :(

Notice:

I’ll not reveal any detail info about the tech side of this attack until the website admin could contact me and stop this attack. And, if the web admin could reach me via grep1025@gmail.com, i could help them to stop this attack.

Update:

More pushdo C&C server got updates.

From the latest result of Pushdo(magadan) Tracker, there is a new module named “botloader” has been released last night.

From the above tracker result, we could notice that, the module is updated from different Pushdo C&C servers but only one vendor got updated. That means, there will be only a small part of Pushdo/Cutwail/Webwail Botnet will try to download this module. And, from the “entry date”, we could possibly know that, the Pushdo C&C servers are not actually updated at the same time. The longest interval is around 10 hours. That means the author(s) updated them group by group.

This “botloader” will download 4 possible other malicious bot samples. The 4 URLs are following:

hxxp://89.149.223.229/dm/files/aukhrfbv.exe

hxxp://89.149.223.229/dm/files/hftywmn.exe

hxxp://89.149.223.229/dm/files/knwtxtk.exe

hxxp://89.149.223.229/dm/files/sdknfhl.exe

The Sasfis tracker is working fine. I also added the “offline time” to show when it is going offline and added the “BackURL” checking. Following are the new tracker results.

Continue reading ‘Sasfis tracker is working!’ »

New version of Pushdo(magadan) introduced the new version of Gootkit, Gootkit 1.2, named “GoogleBot”.
I personally think the “Gumblar attack” should have the relations with the Pushdo Gang. Any ideas?

Functions:

Continue reading ‘Pushdo/Cutwail/Webwail Botnet Changing II’ »

After I gave a presentation about Pushdo/Cutwail/Webwail Botnet on BlackHat EU 2010. They started changing FROM 2010-05-10.

Changes:

1. Project name
“revolution6″ to “magadan”.
“Protect” to “OuterDrv”, error handle routine change a little bit.
f:\programs\magadan\rkinstall\objfre_wxp_x86\i386\RkInstall.pdb
f:\programs\magadan\outerdrv\objfre_wxp_x86\i386\OuterDrv.pdb
f:\programs\magadan\innerdrv\objfre_wxp_x86\i386\InnerDrv.pdb
f:\programs\magadan\loader\objfre_wxp_x86\i386\PreLoader.pdb(thanks to steve)
f:\programs\magadan\loader\objfre_wxp_x86\i386\Loader.pdb

2. “Drop file” decryption algorithm changed.
Before: xor and swap by dword.
Now: xor, add, sub by byte.

3. Loader
(1). ldrver changed from 0×37 to 0×64.
(2). Get Product ID from 2 registy keys, before is only one.
(3). hard-coded server ip counts changed from 9 to 6.

Actually, those modifications are not changing the 3rd Pushdo totally,esp on communication protocol and encryption aspects. Hence, I prefer to call it 3.5th generation Pushdo.