Webroot researcher Andrew Brandt came across a variant of the Pushdo bot that makes it possible for the computer to bypass audio captchas used by Microsoft’s webmail services Hotmail and Live.com, so that the spam containing malicious links could arrive undisturbed to the destination.
Using these (often whitelisted) email addresses, the bot is able to pull down the captchas and provide the correct response that allows the emails to be sent. This is the first instance of a Trojan that attempts to bypass audio captchas – those trying to do so with visual ones are already old news.
The Trojan sample they analyzed comes disguised as the free password manager KeePass, but very shortly after the “application” is executed, it copies itself and puts the copy into the System32 folder and immediately starts establishing network connections to four C&C servers – of which only one isn’t blacklisted.
Upon receiving instructions, the Trojan begins its spam run, and starts querying for captchas:
When – in between spamming – Live.com requests the user/bot to recreate the content of the captcha, the bot is usually able to do so in about three to ten seconds, and according to Brandt, it usually takes him about two tries to provide the correct answer and resume spamming.
The emails it sends contain just one line and a link to a Yahoo Groups page. The text is laughably incorrect (grammatically and expression-wise) and seems like a rather poor attempt at social engineering.
Lines like “God bless you my son. He wants you to look this hot photos right now!” and “Mamma mia! your grandmother is doing so strange things here! Look at these delineations!” will more likely make recipient chuckle and not follow the link, but those who are tempted to look at their grandmother’s “delineations” will be taken to a page with explicit photos that links to a service by the name “Hacked Blackbook”.
The service professes to be free and to contain pornographic images from hacked Facebook, Myspace, Twitter and Flickr accounts, but to access it, the user has to provide credit card details (notice the crafty membership option that isn’t):
Fortunately for the users, the bot is as easy to find and remove as any of the other Pushdo variants.