Cutwail Drives Spike in Malicious HTML Attachment Spam

Discussion in 'Anti-Virus' started by hnpl2011, Feb 21, 2012.

  1. hnpl2011

    hnpl2011 Guest
    anyone get this samples, please post it here,
    hnpl2011, Feb 21, 2012
    1. Advertisements

  2. hnpl2011

    Virus Guy Guest

    Is Cutwail known by other names?

    Because the last time cutwail was seen on the MDL was May 2009:
    Virus Guy, Feb 21, 2012
    1. Advertisements

  3. hnpl2011

    hnpl2011 Guest

    Microsoft: TrojanDownloader:Win32/Cutwail.BE
    hnpl2011, Feb 25, 2012
  4. hnpl2011

    Virus Guy Guest

    Ok, someone explain this to me.

    Cutwail is apparently known both as the name of a botnet and also as the
    name of a detectable piece of malware being delivered to or running on
    an infected PC.

    Cutwail (the botnet) is one of the top 3 known botnets for the past few

    So one would think that there would be a continuous campaign to recruit
    new PC's into this botnet to replace any that are lost (due to AV
    detection, etc) as well as to grow the size of the botnet.

    So why are we not seeing evidence of Cutwail - the infector / trojan?

    Or - does the infector / trojan that delivers / installs Cutwail to a PC
    go by another name?
    Virus Guy, Feb 25, 2012
  5. hnpl2011

    Virus Guy Guest

    I know that Cutwail is / was also called Pushdo - but again there's no
    evidence that Pusho has been seen in the wild for a few years...
    Virus Guy, Feb 25, 2012
  6. I haven't come across any new samples of either called Pushdo or Cutwail.
    David H. Lipman, Feb 25, 2012
  7. hnpl2011

    Virus Guy Guest

    So how is one of the largest botnets on the planet managing to maintain
    or expand the number of computers it controls without putting exploits
    out in the wild to infect new systems?
    Virus Guy, Feb 25, 2012
  8. Just sit back and wait for the next wormable exploit and see if this
    malware makes use of that mechanism to enter another spreading phase.
    FromTheRafters, Feb 25, 2012
  9. hnpl2011

    Virus Guy Guest

    I don't think so. The evidence is sketchy, but cutwail does seem to be
    rebuilding itself. It's certainly still active as a spam botnet. Maybe
    with different owners today vs 2 years ago.

    A diagram showing the relationship between Pushdo, Goolbot, Zbot,
    Bredolab, Sasfis, FakeAV, Webwail and a few others. Time frame Jan 2007
    - Sept 2010:

    A very comprehensive 2-year-old technical document on the operation and
    structure of Pushdo/Cutwail/Webwail botnet:

    Apparently in late August 2010, the Pushdo/Cutwail botnet command
    centers were taken down, and in late October 2010 most of the Bredolab
    botnet was taken down.

    Analysis of the change in spam traffic and spam-source indicated that a
    large number of computers infected with Cutwail were located in the US.
    During this time frame (Q4 2010) Bredolab was still running, mostly from
    computers in India and Russia.

    I think that a lot of the spam e-mail links to blackhole exploit and
    fakeAV I was seeing last year were probably attempts to buildup one of
    these botnets - but which one? Cutwail/pushdo? Or Zbot? Or Breolab?

    This post was blogged last december:

    Cutwail Botnet Still Going Strong

    It sez that it was also known as Pandex (which has never been seen by
    the MDL).

    But in that post we read that cutwail was spamming links to servers
    hosting SpyEye, and Spyeye was seen on the MDL as recently as December
    last year - but only 3 times, and very rarely before that.

    This seems to be the best and most recent report of Cutwail activity:
    Cutwail Drives Spike in Malicious HTML Attachment Spam
    February 16th, 2012

    I remember getting a few of those Xerox/scanned-document spams.

    "The exploit ended up downloading and installing malware in
    our test computer, which at the time of writing, was a
    data-stealing Trojan with the antivirus detection name Cridex."

    Apparently those were coded using the Phoenix Exploit kit.

    MDL is showing some very recent Phoenix activity:

    None seem to be active. However, for cridex:

    Some of those seem to be active.

    For example - this one:


    It's about 73 kbytes, looks like an executable file, UPX packed. It's
    being detected by only 4 out of 31 at VT right now:
    Virus Guy, Feb 25, 2012
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.