IT Security & Network Security News & Reviews: Bredolab, Spam and the CAPTCHA-Cracking Biz

Bredolab, Spam and the CAPTCHA-Cracking Biz

by Brian Prince

Bredolab on the Rise

After being relatively dormant at the beginning of the year, Bredolab began pushing Webwail Jan. 11, leading to a surge in activity.

Special Delivery

This is an example of a spam message containing the Bredolab Trojan. Here, the malware is disguised as an invoice from UPS. When run, Bredolab will download Pushdo, which in turn will download the Cutwail spamming Trojan and Webwail.

Webwail Gets Busy

Webwail is well-adapted for the Web: Dynamic and flexible, it incorporates library updates and a scripting engine to receive/execute tasks and is capable of solving a CAPTCHA in less than 30 seconds. The bot will report back error conditions and send HTML code not handled properly to the server so the attackers can support changes on the fly. Command and control traffic is also encrypted.

Hotmail Account to Go

As of Jan. 15, the Webwail engine was receiving commands to create Hotmail accounts—presumably to be used in future campaigns and to spread Bredolab as well.

Flexibility Could Mean Future Problems

This depicts more partial scripts to spam Hotmail accounts. "The most innovative thing is the binary protocol they have developed to work in harmony with JavaScript—a lot of thought has been put into it and it has been developed to be dynamic and adapted to the Web, likely to be used not only with Web spam but other automated Web tasks," said Fortinet Threats Researcher Derek Manky.

CAPTCHA Cracking as a Service

Circumventing CAPTCHA protections is a business, but not one that always pays well for the people doing the grunt work. The wage advertised here is $0.60 to $0.80 for every 1,000 entered CAPTCHAs. By circumventing CAPTCHA tests, spammers can use free, Web-based e-mail services to send out their wares to lower the risk of them being blocked by a spam filter.