Some Pushdo Variants Resuming Spam Operations

A few days after the majority of the command-and-control servers belonging to one of the variants of the Pushdo botnet were taken offline, some researchers say that there are indications that portions of the botnet are back to their old tricks, downloading new spam templates for a resumption of spam operations.

The research team at FireEye did a follow-up analysis of the results of takedown effort led by researchers at Last Line of Defense last week, and found that the variant of the botnet that was targeted by the takedown is already showing signs of life again. The takedown effort was aimed at Pushdo.D, the most recent variant of the botnet, which is used in many cases to download a second piece of malware known as Cutwail, which is the program used for the spam operations.

Pushdo, like a lot of modern botnets, is not simply one monolithic network; it's split into several different pieces and almost certainly isn't controlled by one person or group. Bot herders often will rent or sell off pieces of their networks to other attackers, and the creators of bot programs typically will sell their software to all comers. So the end result is several different networks all using similar software with the same name that get lumped together.

The researchers at Last Line of Defense worked with hosting providers to take down 20 of the roughly 30 known C&C servers that the company was able to identify. Their analysis afterward showed that the volume of spam coming from Pushdo after the take down was approaching zero.

But within a couple of days, the researchers at FireEye started seeing that Cutwail was starting to download new spam templates from one of the known C&C servers that is still online. Pushdo and Cutwail, unlike some other bots and pieces of malware, have a hard-coded list of IP addresses for C&C servers, so the number of servers it can connect to is finite. However, some of the C&C servers Cutwail uses are legitimate servers that have been compromised, which makes blackholing them more problematic.

"Keeping all these factors in mind I can speculate that we most probably won't see the bot masters doing a desperate attempt to move to new CnCs. There is no rush as Pushdo backup servers are still up and running. They will likely wait for a while until things calm down. In the meantime they will try to find new CnC servers aiming for a silent update of infected systems.  The success or failure of this recovery attempt (if any) will depend on the community's follow up after this shutdown attempt.  Pushdo's backup servers are still alive so we need to keep an eye on Pushdo for some time like we did back in past when Rustock and Srizbi tried to escape," FireEeye researcher Atif Mushtaq said in his analysis of the Pushdo takedown.

"It's very likely that Pushdo, after this third shutdown attempt, would start following a Koobface like CnC architecture.  Koobface mostly uses compromised legitimate web servers as the front end CnCs keeping minimal dedicated servers as a backup, located in countries like China and Russia. That's the main reason that so far no real attempt has been made to shut down it. As a matter of fact, the concept of keeping some backup servers outside US can also been seen even now from above list, where most of the Pushdo CnCs left alive are outside USA."

Commenting on this Article is closed.