Cutwail : Malware With a Crash Reporting Feature.

Cutwail Spam component is a part of PushDo Botnet . Recently I was analysing Cutwail and came across an interesting patch reporting functionality in Cutwail .

It starts with Fixing IAT ( Import Address Table ) to correct corresponding addresses . This is done because this component of PushDo is loaded and executed through process Tunnelling / RunPE method

blog.odt.png

blog.1.png

It also sets up MAC address and a UDP socket for communication . MAC address is packed into a single 4byte Integer

3.png

When a crash occurs a custom exception handler collects the related information in the following structure

#pragma pack(1)
struct Crashpacket
{
    DWORD MacAddress;
    struct _EXCEPTION_RECORD ExpRecord;
    struct CONTEXT ContextRecord;
    DWORD NoOfStackFramesRead;
    DWORD CallChainRecord[20];
};

MacAddress is retrieved from variable set earlier . _EXCEPTION_RECORD is an inbuilt structure which contains information related to the particular raised exception . CONTEXT is a structure that contains all the machine registers at the time of crash .

typedef struct _CONTEXT
{
     ULONG ContextFlags;
     ULONG Dr0;
     ULONG Dr1;
     ULONG Dr2;
     ULONG Dr3;
     ULONG Dr6;
     ULONG Dr7;
     FLOATING_SAVE_AREA FloatSave;
     ULONG SegGs;
     ULONG SegFs;
     ULONG SegEs;
     ULONG SegDs;
     ULONG Edi;
     ULONG Esi;
     ULONG Ebx;
     ULONG Edx;
     ULONG Ecx;
     ULONG Eax;
     ULONG Ebp;
     ULONG Eip;
     ULONG SegCs;
     ULONG EFlags;
     ULONG Esp;
     ULONG SegSs;
     UCHAR ExtendedRegisters[512];
} CONTEXT, *PCONTEXT;*

(http://www.nirsoft.net/kernel_struct/vista/CONTEXT.html)

NoOfStackFramesRead denotes the number of valid stack frames read. It basically reads up to maximum of 20 stack frames or till stack is exhausted

4.png

It reads all the stack frames and store the return address in an array CallChainRecord
and then finally reports it to command and control server .

5.png

 
22
Kudos
 
22
Kudos

Now read this

Understanding Neverquest Banking Trojan Polymorphic Engine

Neverquest packer uses polymorphic engine and junk code in its important subroutines. By using polymorphic engine to some extent static signature rules will fail. For example you can see the difference in between two main decoding... Continue →