Experts say the Bredolab botnet is now linked to a spam engine called Webwail that has led to a huge spike in its activity. The spam it’s pumping out is nothing new-fake notifications from UPS claiming a package could not be delivered and directing the recipient to open the attached file to print out an invoice needed to pick it up. The attachment contains a hidden exe file that downloads the Cutwail Trojan and Webwail.

Webwail is a sophisticated engine that has library updates, a scripting engine and the ability to crack CAPTCHAs in 30 seconds or less. The engine also reports errors back to its command server so changes can be made quickly. Currently it’s being directed to create Hotmail accounts.

Captcha cracking is a hot business thanks to engines like Webwail. Botnet hearders and spammers advertise for people willing to crack them for .60 to .80  per 1000 CAPTCHA solved. Spammers want the free webmail accounts they can get by solving them so they can spam from an address not likely to be blocked by a spam filter.

Bredolab spent the holidays delivering the Zbot banking Trojan. Considered simplistic in the botnet world, Bredolab is little more than a “loader” that connects to a remote server, collects files, and executes them. Some experts think such loaders could be our next big threat.