CAPTCHA (IPA: /ˈkæptʃə/) is a type of challenge-response test used in computing to ensure that the response is not generated by a computer. The process involves one computer (a server) asking a user to complete a simple test which the computer is able to generate and grade. Because other computers are unable to solve the CAPTCHA, any user entering a correct solution is presumed to be human. -- http://en.wikipedia.org/wiki/CAPTCHA

Ever since Luis von Ahn and folks from Carnegie Mellon introduced it, CAPTCHA has been widely adopted by the IT industry for human interaction verification.  Spammers had counter moved in order to defeat CAPTCHA.  A lot of studies have been conducted on how spammers could crack CAPTCHA authentications to create webmail accounts, blog entries, etc.  For example, Websense observed malware auto validates CAPTCHA string to register Windows Live Mail, Gmail and other webmail accounts for spamming purpose.

Over the past six months, Microsoft Malicious Software Removal Tool (MSRT) has been adding threats such as Win32/Cutwail, Win32/Newacc and Win32/Captiya to take part in fighting the CAPTCHA related malware.

CAPTCHA related detection, Jan 2008 – June 2008

Month

Cutwail

Cutwail Spammer variants

Newacc

8-Jan

193,866

39,658

N/A

8-Feb

138,700

71,584

N/A

8-Mar

130,710

97,739

23,942

8-Apr

133,460

74,283

19,722

8-May

126,887

79,076

950

8-Jun

119,285

82,800

468

Win32/Cutwail: in January 2008 we included Cutwail to MSRT.  More than 193,000 distinct machines were cleaned from Cutwail infection during the month.  Note Cutwail is a mutli-purpose threat family and only a subset of this family is spammer trojans.  These spamming variants accounted for more than 39,000 cleaned machines in January and it has stayed between 71,000 and 97,000 cleaned machines since then. 

Win32/Newacc: in March we added Newacc to MSRT and cleaned more than 23,000 Newacc infected machines in the month.  After a couple of months the disinfection dropped significantly to less than 1,000 cleaned machines, indicating the malware authors may have moved to somewhere else.

Win32/Captiya: Captiya was included into MSRT in May release.  There were only a handful of Captiya samples that we collected and as expected the detection volume was low - 193 machines were cleaned from this infection in the month.  Captiya itself is not involved in creating webmail accounts; rather it feeds the malicious CAPTCHA service with images, likely to help improve the preprocessing of OCR engine in the backend server of CAPTCHA breaking botnet.    We identified these two call home sites: sys191.3fn.net and lamodano.info.

Correlating Win32/Newacc and Win32/Cutwail:  we observed variants of Cutwail downloaded and installed Win32/Newacc.  MSRT March data also shows 21,393 machines out of 23,942 Newacc owned machines were also infected by Cutwail.  It is possible that Newacc authors utilize downloaders or droppers in Cutwail to deploy their spamming bots.

One other picture to show where these spamming bots are deployed:

Country/Region

distinct machines

US

173,574

Spain

77,859

China

45,205

Russia

39,493

France

36,708

Turkey

30,928

Korea

20674

Italy

16,360

Germany

16,057

Brazil

15,892

All other

136,827

While the CAPTCHA technology is evolving and the CAPTCHA breaking spammers are improving their cracking techniques, Microsoft Malware Protection Center (MMPC) is keeping an eye on the threat landscape changes and MSRT is out there to help out.  If you would like to participate and can provide samples we would like to hear from you. You can submit the malware samples to us through our portal.

Scott Wu
Microsoft Malware Protection Center (MMPC)