The Webwail botnet: a reputation-based filter killer presented at Virus Bulletin 2010

by Xu (kyle) Yang (Fortinet),

Tags: Security


Summary : "
After several months worth of efforts, the Pushdo/Cutwail botnet gang finally released a new Pushdo advanced installer codenamed
'revolution'. This new milling not only changed the protocol and encryption totally, but also introduced the 'Services'
mechanism (tied to the hard-coded 'vendor' variable). But above all, it introduced Webwail, a new module with an embedded
scripting engine that has the ability to register web-based email accounts and send spam from the web; by this process, it
effectively leverages the flawless reputation of web-based email services (Hotmail, Yahoo! Mail, etc.) to bypass
reputation-based spam filters operating at IP/domain level and/or implementing SPF tactics and the like. Of course,
registering web-based email accounts involves solving CAPTCHA challenges. This is not handled by the instances of Webwail
themselves, but outsourced to a 'captcha-solving server', different from the Command & Control server.
In mid-January 2010, after a testing phase of roughly one month, Webwail started to spread widely with the help of its old
friend Bredolab, obviously testing the grounds for a large-scale spam operation. Then, Webwail resorted to the services
offered by the Sasfis gang (Sasfis is a malware piece similar to Bredolab) to spread further, from the beginning of
February. But this time, not only did it register the web-based mail accounts - it also started to effectively send spam
from them.
What are the internal mechanisms of this innovative piece of modern malware? What is its communication protocol and its
encryption scheme? How did it evolve? Are there bridges to (and if not, similarities with) Cutwail? What will the gang do
after Webwail? How can the communication of Webwail be blocked? This paper will answer these questions, and attempt to
shed a light on Webwail's development path.