Home / malware Win32/Cutwail
First posted on 17 April 2012.
Source: MicrosoftAliases :
There are no other names known for Win32/Cutwail.
Explanation :
Win32/Cutwail is a Trojan which downloads and executes arbitrary files. Downloaded files may be executed from disk or injected directly into other processes. Whilst the functionality of the files that are downloaded is variable, Cutwail usually downloads a Trojan which is able to send spam. Cutwail also employs a rootkit and other defensive techniques to avoid detection and removal.
Top
Win32/Cutwail is a Trojan which downloads and executes arbitrary files. Downloaded files may be executed from disk or injected directly into other processes. Whilst the functionality of the files that are downloaded is variable, Cutwail usually downloads a Trojan which is able to send spam. Cutwail also employs a rootkit and other defensive techniques to avoid detection and removal. InstallationWhen executed Cutwail, attempts to drop a device driver to disk, overwriting the legitimate original. The filename differs depending on the operating system version of the affected machine. The filename used may be one of the following:Cutwail then attempts to start the corresponding kernel driver by name:
- %SystemRoot%\System32\drivers\ip6fw.sys
- %SystemRoot%\System32\drivers\secdrv.sys
- %SystemRoot%\System32\drivers\netdtect.sys
This driver attempts to restore various system hooks to their original unhooked state. For example, any System Service Descriptor Table (SSDT) hook will be reverted. By doing this, Cutwail may be able to circumvent security applications or even other malware which may be installed on the system. Payload Provides Advanced Stealth FunctionalityCutwail drops a second device driver to disk:
- Ip6Fw
- Secdrv
- NetDetect
and installs it via the following registry modifications (for example): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime\ImagePath= "\\??\\C:\\WINDOWS\\System32\\drivers\\runtime.sys"
- %SystemRoot%\System32\drivers\runtime.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime\Type = 0x1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime\Start = 0x3 It then loads the driver. This driver is able to stealth processes for a supplied process id (PID) by directly manipulating the EPROCESS structure. Cutwail usually downloads an updated version of itself (see Downloads and Executes Arbitrary Files section below for additional detail). This updated version drops another driver which implements additional rootkit functionality. The updater attempts to write the device driver to:and install it via the following registry modifications (for example): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime2\ImagePath = "\\??\\C:\\WINDOWS\\System32\\drivers\\runtime2.sys"
- %SystemRoot%\System32\drivers\runtime2.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime2\Type = 0x1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime2\ErrorControl = 0x1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime2\Start = 0x3 It then loads the driver. If 'runtime2.sys' already exists, the new device driver is written to the alternate location:The existing device driver is then instructed to update itself with the new copy. The driver also creates the following registry keys to ensure that is loaded in safe mode: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\runtime2.sys
- %SystemRoot%\System32\drivers\runtime2.sy_
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\runtime2.sys This driver then drops an executable to:creating the following registry entry to ensure it is run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\startdrv = "C:\WINDOWS\Temp\startdrv.exe" Inhibits RemovalCutwail is not only able to hide itself, it can prevent the removal of its files and registry entries. To hide and protect its registry entries it hooks the following functions via SSDT:
- %SystemRoot%\Temp\startdrv.exe
ZwDeleteValueKey()
ZwEnumerateKey()
ZwEnumerateValueKey()
ZwOpenKey()
ZwSetValueKey() To protect files on disk it implements a file system filter driver. The Irp handlers IRP_MJ_CREATE and IRP_MJ_DIRECTORY_CONTROL are hooked for the FastFAT or NTFS driver objects, depending on the filesystem type. Downloads and Executes Arbitrary FilesCutwail attempts to launch a copy of Internet Explorer from the following location:It then injects the downloading component into this process, where it then executes. Cutwail instructs 'runtime.sys' to stealth the "iexplore.exe" process. After this, runtime.sys is deleted. The downloading component creates the mutex: k4j.32H_f7z_Z6e.g8G0. It attempts to connect to one of the following remote hosts to download a software bundle.
- %ProgramFiles%\Internet Explorer\iexplore.exe
66.246.72.173
67.18.114.98
208.66.194.241
66.246.252.213
66.246.252.215
208.66.194.234 Cutwail creates a file during the download process, selecting the name randomly from the following list:
%windir%\system32\9_exception.nls
%windir%\system32\8_exception.nls
%windir%\system32\7_exception.nls
%windir%\system32\6_exception.nls
%windir%\system32\5_exception.nls
%windir%\system32\4_exception.nls
%windir%\system32\3_exception.nls
%windir%\system32\2_exception.nls
%windir%\system32\1_exception.nls
%windir%\system32\0_exception.nls Cutwail may also create the following registry key value:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\LastTheme\Last Executables from within the downloaded software bundle may be written to disk or injected directly into Internet Explorer. Those which are written to disk, are given a random numerical filename and are written to the %temp% directory, for example, %temp%\1193135.exeLast update 17 April 2012