Cutwail (also known as Pandex) malware is not a new family name on the bot scene. However, the Cutwail/Pandex botnet is described as one of the largest and most active botnets currently known. This resilient botnet managed to bounce back after both the McColo ISP and the more recent Pricewert/3FN ISP shutdowns in California, both of which brought down global levels of spam for a short time and cut off the control servers where many bots retrieved their command and control instructions.
To further the botnet’s resilience and spread, the distributors of the malicious executables attempt to re-pack and re-obfuscate the components to evade security file scanners on victim systems. The executable runtime behavior may change across variants just a bit, but the fingerprint and physical makeup changes dramatically. This type of evasion, of course, is ineffective against a behavioral-based solution like ThreatFire. Cutwail is succesfully prevented from running on ThreatFire community user systems on a daily basis.
Some of the latest Cutwail/Pandex variants are themselves delivered in a variety of ways to a user’s system, renamed to reader_s.exe and run (note, other prevalent and current variants are renamed to update.exe). Reader_s.exe drops 0.exe, which drops an ADS or “alternate data stream” to the drive. This sort of location on the drive is tricky for a user to spot, because the svchost.exe:ext.exe stream cannot be seen as a file within an explorer window. This ADS executable code is installed as a system service by the Cutwail dropped executable 0.exe. Then, 0.exe launches and hijacks a svchost.exe process, communicating from it over an encrypted channel to a set of ip addresses. These communications eventually result in the compromised system gathering information to spew enough spam to help generate over 74 billion messages a day from the botnet.
The packing and evasion techniques implemented within these executables changes over time. One of the recent techniques is one that we have seen before in a variety of Fakealert executables in the past — intermixing random mmx instructions into the compiled code itself. These instructions have no functional purpose whatsoever. They simply modify values within the mmx registers arbitrarily. Intermixing the mmx instruction set unexpectedly within functions using the general-purpose intel instructions can cause problems for recognizing Cutwail malcode for emulators, backend automation, and AV scanners themselves — the evasion technique can be effective.
You can see one such function that was modified with mmx “nop” filler:
Protecting your system from becoming a part of the largest, most active botnet on the web requires an effective behavioral based layer like ThreatFire.