Malware Research

Since I wrote too many things about Pushdo/Cutwail/Webwail, this time i don’t want to actually write something. I believed some pics are better.

-Kyle Yang

In my last blog,

Farewell To Pushdo/Cutwail/Webwail Botnet – I (Relationship with other malware gangs)

I revealed the relationship between Pushdo gang and other malware gangs. Feel Interesting?

Since I didn’t finish my demo in the VB100 2010 presentation. In this blog, I’ll try to point out some key features of Pushdo/Cutwail/Webwail Fuzzing Tracker.

Tracker Development:

I started to wrote this botnet tracer after my presentation on BlackHat 2010. There 3 main purpose of this tracker.

1. Monitor its update history.

2. Share the information to all the researchers.

3. One day, I’ll co-operate with other malware researchers or companies to take down this botnet totally.

For point 3, I was on the way after my vb100 presentation. I’m quite sure you guys already felt it. :)

Key Features:

1. Latest Pushdo Modules

Pushdo, is a advanced downloader which could download many different modules.

For now, there are 11 different modules.

If there is an update of Pushdo’s module or a totally new module, it will show them in this section.

2. Latest Module Parameters

Cutwail or Webwail, are command line tool. They all have switches. They couldn’t run properly without proper parameters.

So, every time when Pushdo download either Cutwail or Webwail, it will also download corresponding parameters for Cutwail and Webwail.

Simply put, those parameters are the C&C server IP & Port for Cutwail and Webwail.

If there is a new parameters, it will show them in this section.

3. Latest Webwail Scripts

Webwail, a script engine driven, has the ability to register mail account and send spam from the web.

Webwail will download many different scripts when registering mail account or sending spam.

If there is new scripts, it will show them in this section.

4. Pushdo C&C Server Info

It will show you the Pushdo C&C server IP & Port. You could check what modules/parameters had been downloaded from this C&C server.

In the modules sub-page, you will find the module name which is given by the pushdo author(s), just like a nick name.

In the parameter sub-page, you will find the parameters detail info, including IP&Port and nick name for the server.

5. Cutwail C&C Server Info

It will show you the Cutwail(Spam engine) C&C server IP & Port.

In the detail info page, you will find different responses from the server. Like, Spam Template, Configuration and Email List.

6. Webwail C&C Server Info

It will show you the Webwail(web spam)C&C server IP & Port.

In the detail info page, you will find different kind of scripts for webwail. If you check those scripts carefully, you’ll find “Denis” , “Joker” and some Russian comments. :)

7. Pushdo Module Update Info

Basically, it will show you how many times the module get updated.

8. Vendor Module Update History

Vendor ID, a key value which is hard-coded in the Pushdo binary. The bot will received different modules and send different spam email based on different vendor value.

There are 23 different vendor ID, from 0×01 to 0×17.

You could find some distinct modules only existed in one vendor.

Yeah, that’s all I think.  This tracker contains my almost 1 year researching results. Please use it wisely. I hope you could get benefit from it. http://re-malware.com/kyle/

Just like my blog tag-line said, “Without mysteries, it can not survive“.

-Kyle Yang

In this blog, I’ll give a brief history of Pushdo/Cutwail/Webwail evolution and reveal its relationship with other malware gangs.

Jan 2007 – 1st generation Pushdo, use http get command and has static parameters in the get command.

Dec 2007 – 2nd generation Pushdo [Codename: Siberia2]. The author remove the static parameters from the get command. And, it will be downloaded by the 1st generation Bredolab which also used http get command.

Oct 2009 - 3rd generation Pushdo [Codename: Revolution6]. Communication protocol and encryption algorithm are totally different with before. At that time, Pushdo will download Cutwail module, trying to spread Fakeav and Pushdo itself.

Nov 2009 - They started to test Webwail module in some of its sub-botnets. It spread with the help of 2nd generation Bredolab. This new Bredolab abandoned http get too, turned to custom communication protocol and its communication encryption algorithm is XOR and MD5.

Jan 2010 – Another malware called GoolBot seeding with the help of cutwail. It will download many other malwares, like, Zbot, Fakeav and the 2nd gen Pushdo,  but it is not the orginal one, this one encrypted the http get command again by using RC4 algorithm. And, this one will communicate with c&c server through port 443 and generate lots of junk ssl traffic to 250 legitimate websites. The purpose of doing this is obvious, try to hide the real commands among the decoys.

Jan 2010 – Pushdo gang tried to re-use ImraBot module, this module was first seen in Jan 2009. I considered it as the prototype of the webwail.  It almost has the same fucntion of webwail. But the communication protocol is quiet different, it use http get, same as the 2nd gen pushdo, so this module should belong to the 2nd generation Pushdo. The parameters are bot_id and mode. The server reponse scripts are base64 encoded. While 2nd generation Bredolab spreading 3rd generation Pushdo, the Webwail’s function is only register msn and yahoo accounts.

Feb 2010 – Sasfis Spreads 3rd generation Pushdo. It take the Bredolab’s place, help Pushdo gang seeding. Webwail’s function is register MSN account and sending spam(Audio CAPTCHA Resolving).  And, Sasfis usually download the TDSS, Zbot, Hiloti,CMultiLoader. CMultiLoader is a downloader, using http get command. The data is base64 encoded.  Why I called it CMultiLoader, because this version has the debug print function and will send the debug info back to the server. In the log, every important operation started with CMultiLoader Or CSpreadingManager.

Feb 2010 - 3rd gen Pushdo release a new module called google_bot.  After reversing it binary, it turns out to be the GoolKit, version 1.2. It is script engine driven and has 3 main functions.

1. It has the ability to add malicious iframe to the webpages which ftp credentials have been stolen before. The modified web page contains the Goolkit tag.

2. it has the ability to launch DDOS attack to the websites.

3. It could send spam emails with the compromised website link .

Apr 2010 – Cutwail Spread the Modified 2nd Generation Pushdo. There is no major changing in this time, just change the 250 legitimate websites to 79. Most of the websites are from brazil,Ukrain and japan.

May 2010 – Pushdo gang release the new pushdo binary with the project name magadan. So, from Siberia, a region name to city name Magadan, are they telling us where they are?

Jun 2010 – Pushdo gang released 3 new modules, called botloader, google_ddos and restyle_bot and re-use the old module mailsniffer.

botloader = SpyEye downloader

google_ddosas = single target ddos module.  It launch ddos attack to an inventment website.

restyle_bot = ftp pwd stealer

Jun 2010 – Pushdo gang released another module called new_loader, but the function is same as the botloader, which is download SpyEye.

Jul 2010 - Pushdo gang released another 2 new module, called soldier and antispyware.

Soldier = SpyEye. And it will download the sock plugin.

antispyware =CMultiLoader which already removed the debug print function.

Aug 2010 – Zbot tried to download 3rd generation Pushdo throught SSL connection, then pushdo will download Cutwail to help Zbot seeding.  The sub-botnet id for that is 0×17.

Sep 2010 – While the Cutwail is injury, Sasfis made another friend – Asprox which is a spam botnet. But its communication encryption algorithm and resource decryption algorithm is still xor 1b which is too weak.

The above events should be in my blogs,check them for details.

I have been doing Pushdo/Cutwail/Webwail Botnet researching for almost 1 year. It’s time to say goodbye.

-Kyle Yang

Today, I made a BIG video of the process that Webwail register new MSN account for its spam purpose.

Above is only one function of Webwail Botnet, its main purpose is send spam from those pre-registered MSN accounts. I’ll make another video on that.

Webwail Reg MSN Routine:

1. Retrieve pre-defined MSN user info from C&C server

2. Fill the register form

3. Change to Audio CAPTCHA

4. Send CAPTCHA to resolving server

5. Fill the CAPTCHA

6. Login the new registered MSN account to verify

7. Wait for next user info.

From my Pushdo/Cutwail/Webwail Botnet Tracker DB(I can’t give a precise number,simply because the number is increasing everyday)

1.  8K+ MSN accounts are used to send spam.

2.  20K+ pre-defined MSN user informations which will be used for register MSN accounts.

3.  200+ spam templates

I’ll give a presentation about Webwail Botnet in VB100 conference

The Webwail botnet: a reputation-based filter killer – http://www.virusbtn.com/conference/vb2010/abstracts/Yang.xml

-Kyle Yang

Few days ago, LastLine’s Thorsten Holz and his team have successfully given a strike on Pushdo/Cutwail botnet infrastructure – Insights into the Pushdo/Cutwail Infrastructure(nice references). This action has a significant impact on the Cutwail, that’s the reason of the following figure(From M86 Security Lab blog – Pushdo Botnet Crippled)

It did give us a quiet inbox. But, the question is how long.

Following are some data from my Pushdo/Cutwail/Webwail Botnet Tracker.

Before, there were 13/23 Pushdo C&C servers, 34/69 Cutwail C&C servers and 5/5 Webwail C&C servers alive.

After, there are 5/23 Pushdo C&C servers, 2/69 Cutwail C&C servers and 4/5 Webwail C&C servers alive.

How did this botnet gang response to this?(Screenshots from my botnet tracker)

They added 2 new Pushdo C&C servers(all located in US)

They added 4 new Cutwail C&C servers(all located in US)

I’m sure they will add more Cutwail C&C servers in this week.

-Kyle Yang

The Sasfis tracker is working fine. I also added the “offline time” to show when it is going offline and added the “BackURL” checking. Following are the new tracker results.

Continue reading ‘Sasfis tracker is working!’ »

New version of Pushdo(magadan) introduced the new version of Gootkit, Gootkit 1.2, named “GoogleBot”.
I personally think the “Gumblar attack” should have the relations with the Pushdo Gang. Any ideas?

Functions:

Continue reading ‘Pushdo/Cutwail/Webwail Botnet Changing II’ »