Bredolab Gearing Up for Web Spam

Bredolab should be a name becoming familiar to most of our readers – it has been our most dominant threat overall for the last half of 2009, continuing over to 2010. It’s been discussed several times in our monthly Threat Landscape reports, and also connected to Gumblar attacks. For those unfamiliar, Bredolab is a simplified botnet – a loader which simply connects to a remote server to report and receive files to download/execute. Apart from rogue antivirus software (”scareware”), Bredolab’s other favorite download is Pushdo.

Pushdo, another prominent botnet/loader, is tightly linked to the Cutwail spam trojan – meaning that Pushdo will frequently download and install Cutwail to turn the machine into a spam spewing bot: this has been going on since 2007, accelerated by Bredolab’s appearance in 2009. Now in 2010, Pushdo has upped the ante with a new spam engine hitting mail servers near you. We have dubbed this engine “Webwail”, and have been monitoring it since December 2009.

In this newest run, Bredolab comes in a typical email attachment – disguised as a UPS invoice under the name “UPS_invoice_NR81913.exe”. We observed the first instances of this on January 11, 2010. When run, Bredolab will in turn download Pushdo, which will then download the Cutwail spamming trojan along with another malicious file. This file is the new webmailing spam engine – Webwail.

During our observations, the newly infected Bredolab machine (Figure 1) would start sending spam through its downloaded Cutwail component. As of writing, this spam is the well known DHL invoice spam campaign (Figure 2), an email with a ZIP file attachment containing a variation of Bredolab itself -  upgraded with a new custom packer.

Figure 2: DHL Bredolab, Detected as “W32/Bredolab.AC!tr.dldr”

So, what is Webwail? It seems to have been in development for quite some time. It is a bot well adapted for the web: dynamic and flexible, incorporates library updates and a scripting engine to receive / execute tasks, and is capable of solving a CAPTCHA in less than 30 seconds. Quite some thought has been put into it, as the bot will report back error conditions and send HTML code which was not handled properly to the server so the attackers may support changes on the fly. Like Cutwail and Pushdo, C&C traffic is also encrypted. In our observations, we noticed Webwail attempting to use solved CAPTCHAs – through different scripts received from its C&C servers – to both create accounts and send spam. As of writing, the Webwail engine is receiving commands to create Hotmail accounts – presumably to be used in future campaigns, possibly to spread Bredolab as well. Given the flexibility of the scripting engine, we found it feasible for the attackers to also develop scripts for tasks such as blog account and social network creation / spamming, even domain registration. There was an old web engine (Imrabot) used by Pushdo back in 2008 – but it is not as capable as Webwail, and seems to have been a predecessor that was not heavily used. This engine used a CAPTCHA solving service which is still active today: anti-captcha.com. The site, in Russian, offers a service to solve CAPTCHAs at a fixed price of $1 USD for 1000 solved images. Many of these services are available today (see our blog post on Adaptive Crime Services). Webwail uses a similar approach – sending CAPTCHA requests to a service, obtaining a text response that has been presumably entered by a human on the other end.

Figure 3: Partial Webwail script to create Hotmail accounts

Figure 4: Partial Webwail script to spam Hotmail accounts

For over two years, the Cutwail spamming trojan has been in wide use to send traditional mail through SMTP and does not appear to be stopping yet. Bredolab is very prevalent and can spread aggressively – meaning it can quickly spread this new web engine along with it. Our observations indicate Bredolab is spreading itself through the use of Pushdo and its Cutwail botnet, in parallel prepping the Webwail botnet for future spam campaigns. Although slower, sending spam through web mail can be more effective since traditional reputation based filtering cannot be employed (ie: blacklisting spam coming from GMail). For more thoughts on this, please read this article on Zero-Day from Fortinet’s Guillaume Lovet. So when will a Bredolab spam campaign hit the web? Likely soon – we will continue to monitor developments on this new activity and keep you updated.

Bredolab & Pushdo Evolution:

Jan 2007: 1st Generation Pushdo
Dec 2007: 2nd Generation Pushdo  [Codename: Siberia2]
May 2009: 1st Generation Bredolab (Gumblar Attacks)
Oct 2009: 2nd Generation Bredolab
Nov 2009: 3rd Generation Pushdo [Codename: Revolution6]
Dec 2009:  FortiGuard Labs Discovers Beta Webwail Engine - Not Active
Jan 2010: 2nd Generation Bredolab Spreads Webwail

Thanks to Kyle Yang from FortiGuard Labs for his analysis of Pushdo, Bredolab and the Webwail engine.