Friday, August 08, 2008 1:48 PM
by
mmpc
MSRT on CAPTCHA breaking malware
A CAPTCHA (IPA: /ˈkæptʃə/) is a type of challenge-response test used in computing to ensure that the response is not generated by a computer. The process involves one computer (a server) asking a user to complete a simple test which the computer is able to generate and grade. Because other computers are unable to solve the CAPTCHA, any user entering a correct solution is presumed to be human. -- http://en.wikipedia.org/wiki/CAPTCHA
Ever since Luis von Ahn and folks from Carnegie Mellon introduced it, CAPTCHA has been widely adopted by the IT industry for human interaction verification. Spammers had counter moved in order to defeat CAPTCHA. A lot of studies have been conducted on how spammers could crack CAPTCHA authentications to create webmail accounts, blog entries, etc. For example, Websense observed malware auto validates CAPTCHA string to register Windows Live Mail, Gmail and other webmail accounts for spamming purpose.
Over the past six months, Microsoft Malicious Software Removal Tool (MSRT) has been adding threats such as Win32/Cutwail, Win32/Newacc and Win32/Captiya to take part in fighting the CAPTCHA related malware.
CAPTCHA related detection, Jan 2008 – June 2008
|
Month |
Cutwail |
Cutwail Spammer variants |
Newacc |
|
8-Jan |
193,866 |
39,658 |
N/A |
|
8-Feb |
138,700 |
71,584 |
N/A |
|
8-Mar |
130,710 |
97,739 |
23,942 |
|
8-Apr |
133,460 |
74,283 |
19,722 |
|
8-May |
126,887 |
79,076 |
950 |
|
8-Jun |
119,285 |
82,800 |
468 |
Win32/Cutwail: in January 2008 we included Cutwail to MSRT. More than 193,000 distinct machines were cleaned from Cutwail infection during the month. Note Cutwail is a mutli-purpose threat family and only a subset of this family is spammer trojans. These spamming variants accounted for more than 39,000 cleaned machines in January and it has stayed between 71,000 and 97,000 cleaned machines since then.
Win32/Newacc: in March we added Newacc to MSRT and cleaned more than 23,000 Newacc infected machines in the month. After a couple of months the disinfection dropped significantly to less than 1,000 cleaned machines, indicating the malware authors may have moved to somewhere else.
Win32/Captiya: Captiya was included into MSRT in May release. There were only a handful of Captiya samples that we collected and as expected the detection volume was low - 193 machines were cleaned from this infection in the month. Captiya itself is not involved in creating webmail accounts; rather it feeds the malicious CAPTCHA service with images, likely to help improve the preprocessing of OCR engine in the backend server of CAPTCHA breaking botnet. We identified these two call home sites: sys191.3fn.net and lamodano.info.
Correlating Win32/Newacc and Win32/Cutwail: we observed variants of Cutwail downloaded and installed Win32/Newacc. MSRT March data also shows 21,393 machines out of 23,942 Newacc owned machines were also infected by Cutwail. It is possible that Newacc authors utilize downloaders or droppers in Cutwail to deploy their spamming bots.
One other picture to show where these spamming bots are deployed:
|
Country/Region |
distinct machines |
|
US |
173,574 |
|
Spain |
77,859 |
|
China |
45,205 |
|
Russia |
39,493 |
|
France |
36,708 |
|
Turkey |
30,928 |
|
Korea |
20674 |
|
Italy |
16,360 |
|
Germany |
16,057 |
|
Brazil |
15,892 |
|
All other |
136,827 |
While the CAPTCHA technology is evolving and the CAPTCHA breaking spammers are improving their cracking techniques, Microsoft Malware Protection Center (MMPC) is keeping an eye on the threat landscape changes and MSRT is out there to help out. If you would like to participate and can provide samples we would like to hear from you. You can submit the malware samples to us through our portal.
Scott Wu
Microsoft Malware Protection Center (MMPC)
