August 27, 2010

Security researchers have dealt a mighty blow to a spam botnet known as Pushdo, a massive grouping of hacked PCs that until recently was responsible for sending more than 10 percent of all junk e-mail worldwide.

According to security firm M86 Security Labs, junk e-mail being relayed by Pushdo (a.k.a. Cutwail) tapered off from a torrent to a dribble over the past few days. M86 credits researchers at LastLine Inc., a security firm made up of professors and graduate students from University of California, Santa Barbara, the Vienna University of Technology (Austria), Eurecom (France), and Ruhr-University Bochum (Germany).

LastLine’s Thorsten Holz said his group identified 30 Internet servers used to control the Pushdo/Cutwail infrastructure, located at eight different hosting providers around the globe. Holz said Lastline contacted all hosting providers and worked with them to take down the machines, which lead to the takedown of nearly 20 of those control servers.

“Unfortunately, not all providers were responsive and thus several command & control servers are still online at this  point,” Holz wrote on the company’s blog. “Nevertheless, this effort had an impact on Pushdo/Cutwail, which you can also see in new Anubis reports generated today  by re-running the analysis: Many connection attempts fail and infected machines can not receive commands anymore.”

It will be interesting to see whether this action has a lasting effect on the Pushdo/Cutwail botnet, which has rebounded from similar infrastructure attacks in the past. In January 2010, researchers at Neustar and several ISPs targeted the control servers for the Lethic botnet, another botnet that at the time was estimated to be responsible for relaying roughly one in ten spam e-mails. But just a month after that takedown, spam volumes from Lethic began recovering.

In May 2009, the Federal Trade Commission ordered the unplugging of a hosting provider in Northern California called 3FN, which was at the time hosting a large number of Cutwail control servers. The 3FN takedown — a type of botnet assault that I like to call a “shun” — relies on ostracizing or immobilizing ISPs and hosting providers that repeatedly turn a blind eye to serious abuse on their networks.

This latest action by Lastline falls into the other major takedown category, a group of tactics best described as “stuns,” wherein researchers target a botnet’s control infrastructure in a coordinated takedown. I discuss both of these tactics in the latest McAfee Security Journal, available at this link.


7 thoughts on “Researchers Kneecap ‘Pushdo’ Spam Botnet

  1. PJ

    Is there a known resource online to check if a computer is part of the Pushdo botnet, or an antivirus or antimalware software that is proven effective at removing it?

    1. AlphaCentauri

      You can check with the Composite Blocking List
      http://cbl.abuseat.org/lookup.cgi

      There are often different names for the same botnet, however. What CBL calls “Bobax” gets referred to as “Storm” or “Kraken,” for instance, with arguments whether one branched off another or one turned into another.

  2. Clive Robinson

    Sadly as you note taking out the control channel head end may only provide temporary relief as it is often possible for the bot net operator to regain control.

    Also the problem with attacking the “head” is that sooner or later somebody is going to implement a Botnet that is decentralised in some manner whereby taking the “head out” will not be an option that will be an effective solution.

    There are a number of ways that “the control channel as a point of failure” can be overcome by a botnet operator. I have thought of a number of ways, some low bandwidth others high bandwidth.

    For instance in the past I have indicated one “low bandwidth” way Botnet operators might implement a decentralized control system through search engines and open post systems such as blogs.

    This has the difficulty of you cannot take down the search engines and the number of open post systems are so large that a blog operator only needs to use one once.

    Which means that at some point we need to find a way of quickly identifing members of a botnet.

    Currently we kind of rely on Botnets to advertise their presence by some form of network activity that stands out above the noise. Which for the obvious botnet activities such as Spam or DOS attacks is not overly difficult.

    However these currently high bandwidth activities reflects more on the inability of the botnet operators to cash in on their asset, than anything else and thus are little more than “nuisance attacks” with very low value.

    However we are starting to see a change in that one version of Zeus specificaly targeted .mil and .gov with a payload to look for PDF’s and documents on a users machine and then send them out. The reason this particular botnet was detected is said to be that the payloads just dumped data onto the network and thus became easily visable above the noise.

    If that is the case then it is a mistake that was made by early worm writers and the solution is the same “Don’t draw attention by being obvious” be covert.

    One way to be covert is to send very minimal amounts of information back to the botnet operator until specificly requested otherwise, or allow the Botnet operator “console access” which is a recent feature added to Zeus.

    It will be interesting to see how this game plays out as the more savey Botnet operators find better ways to capitalize on “their assets”.

Comments are closed.