Xu (Kyle) Yang Fortinet
After several months worth of efforts, the Pushdo/Cutwail botnet gang finally released a new Pushdo advanced installer codenamed 'revolution'. This new milling not only changed the protocol and encryption totally, but also introduced the 'Services' mechanism (tied to the hard-coded 'vendor' variable). But above all, it introduced Webwail, a new module with an embedded scripting engine that has the ability to register web-based email accounts and send spam from the web; by this process, it effectively leverages the flawless reputation of web-based email services (Hotmail, Yahoo! Mail, etc.) to bypass reputation-based spam filters operating at IP/domain level and/or implementing SPF tactics and the like. Of course, registering web-based email accounts involves solving CAPTCHA challenges. This is not handled by the instances of Webwail themselves, but outsourced to a 'captcha-solving server', different from the Command & Control server.
In mid-January 2010, after a testing phase of roughly one month, Webwail started to spread widely with the help of its old friend Bredolab, obviously testing the grounds for a large-scale spam operation. Then, Webwail resorted to the services offered by the Sasfis gang (Sasfis is a malware piece similar to Bredolab) to spread further, from the beginning of February. But this time, not only did it register the web-based mail accounts - it also started to effectively send spam from them.
What are the internal mechanisms of this innovative piece of modern malware? What is its communication protocol and its encryption scheme? How did it evolve? Are there bridges to (and if not, similarities with) Cutwail? What will the gang do after Webwail? How can the communication of Webwail be blocked? This paper will answer these questions, and attempt to shed a light on Webwail's development path.
