Cutwail : Malware With a Crash Reporting Feature.
Cutwail Spam component is a part of PushDo Botnet . Recently I was analysing Cutwail and came across an interesting patch reporting functionality in Cutwail .
It starts with Fixing IAT ( Import Address Table ) to correct corresponding addresses . This is done because this component of PushDo is loaded and executed through process Tunnelling / RunPE method
It also sets up MAC address and a UDP socket for communication . MAC address is packed into a single 4byte Integer
When a crash occurs a custom exception handler collects the related information in the following structure
#pragma pack(1)
struct Crashpacket
{
DWORD MacAddress;
struct _EXCEPTION_RECORD ExpRecord;
struct CONTEXT ContextRecord;
DWORD NoOfStackFramesRead;
DWORD CallChainRecord[20];
};
MacAddress is retrieved from variable set earlier . _EXCEPTION_RECORD is an inbuilt structure which contains information related to the particular raised exception . CONTEXT is a structure that contains all the machine registers at the time of crash .
typedef struct _CONTEXT
{
ULONG ContextFlags;
ULONG Dr0;
ULONG Dr1;
ULONG Dr2;
ULONG Dr3;
ULONG Dr6;
ULONG Dr7;
FLOATING_SAVE_AREA FloatSave;
ULONG SegGs;
ULONG SegFs;
ULONG SegEs;
ULONG SegDs;
ULONG Edi;
ULONG Esi;
ULONG Ebx;
ULONG Edx;
ULONG Ecx;
ULONG Eax;
ULONG Ebp;
ULONG Eip;
ULONG SegCs;
ULONG EFlags;
ULONG Esp;
ULONG SegSs;
UCHAR ExtendedRegisters[512];
} CONTEXT, *PCONTEXT;*
(http://www.nirsoft.net/kernel_struct/vista/CONTEXT.html)
NoOfStackFramesRead denotes the number of valid stack frames read. It basically reads up to maximum of 20 stack frames or till stack is exhausted
It reads all the stack frames and store the return address in an array CallChainRecord
and then finally reports it to command and control server .