Cutwail : Malware With a Crash Reporting Feature.

Cutwail Spam component is a part of PushDo Botnet . Recently I was analysing Cutwail and came across an interesting patch reporting functionality in Cutwail .

It starts with Fixing IAT ( Import Address Table ) to correct corresponding addresses . This is done because this component of PushDo is loaded and executed through process Tunnelling / RunPE method



It also sets up MAC address and a UDP socket for communication . MAC address is packed into a single 4byte Integer


When a crash occurs a custom exception handler collects the related information in the following structure

#pragma pack(1)
struct Crashpacket
    DWORD MacAddress;
    struct _EXCEPTION_RECORD ExpRecord;
    struct CONTEXT ContextRecord;
    DWORD NoOfStackFramesRead;
    DWORD CallChainRecord[20];

MacAddress is retrieved from variable set earlier . _EXCEPTION_RECORD is an inbuilt structure which contains information related to the particular raised exception . CONTEXT is a structure that contains all the machine registers at the time of crash .

typedef struct _CONTEXT
     ULONG ContextFlags;
     ULONG Dr0;
     ULONG Dr1;
     ULONG Dr2;
     ULONG Dr3;
     ULONG Dr6;
     ULONG Dr7;
     ULONG SegGs;
     ULONG SegFs;
     ULONG SegEs;
     ULONG SegDs;
     ULONG Edi;
     ULONG Esi;
     ULONG Ebx;
     ULONG Edx;
     ULONG Ecx;
     ULONG Eax;
     ULONG Ebp;
     ULONG Eip;
     ULONG SegCs;
     ULONG EFlags;
     ULONG Esp;
     ULONG SegSs;
     UCHAR ExtendedRegisters[512];


NoOfStackFramesRead denotes the number of valid stack frames read. It basically reads up to maximum of 20 stack frames or till stack is exhausted


It reads all the stack frames and store the return address in an array CallChainRecord
and then finally reports it to command and control server .



Now read this

Using concolic execution for static analysis of malware

Reverse engineering is about reducing the complex equation of binary code into na abstract understandable form . Dynamic and static analysis can speed up the process to a large extent , but they have their limitations when malware... Continue →