PushdoA new, detailed analysis of the operations of the infamous Cutwail/Pushdo botnet shows that the network, which had been he target of several takedown attempts in the last couple of years, is not only amazingly resilient, but also is incredibly prolific, with one section of the botnet sending more than 1.7 trillion spam messages, and quite profitable, generating as much as $4 million in profits for its owners.

The new analysis effort provides a unique perspective on the way that a spam botnet works and the economics and logistics that underpin it. A group of researchers from The Last Line of Defense, the University of California at Santa Barbara and the Ruhr-University Bochum in Germany got access to 13 Cutwail/Pushdo command-and-control servers, as well as three of the botnet crew’s development servers, last summer and were able to delve deeply into how the botnet operates, how much money the malware’s owners make and how the spammers on the pointy end of the network’s spear use compromised PCs all over the world to push knockoff Viagra, cheap watches and money mule scams.

As a result of the researchers’ work, the C&C servers they had access to were taken offline, as were several other associated C&Cs, and spam volumes from Cutwail have dropped. The takedown also partially disrupted the Bredolab botnet, which relied on Cutwail for some of its malware infections, they said.

“We were interested in getting at the ground-level truth about spam, and the best data that you can have is real data,” said Brett Stone-Gross, a PhD student at UCSB and one of the authors of the paper, “The Underground Economy of Spam: A Botmaster’s Perspective of Coordinating Large-Scale Spam Campaigns.”

“The interesting things were just the amount of spam that they were sending and how they operate like a professional business, with detailed statistics and error reporting. This is a real business.”

The researchers found that, like virtually all large-scale botnets, Cutwail/Pushdo in fact comprises several smaller botnets, each of which is operated by an individual customer of the overarching crew behind the operation. In this case, that crew provides not only the Cutwail malware that performs the initial infection of a machine, but also a menu of ancillary services and tools, including a variety of spam templates, huge caches of target email addresses and even access to a closed forum in which spammers trade tips and tricks on how to make spam campaigns more effective.

And it appears that those tactics have been finely honed, as the records that the researchers found on the servers they were able to access show that the bots those C&C servers controlled had sent more than 1.7 trillion spam emails between June 2009 and August 2010, and more than 500 billion of those messages were actually delivered successfully. That’s a mind-boggling volume of spam, especially when one considers that it’s coming from just one subset of one botnet.

“The most interesting information retrieved from the C&C servers was stored in the databases containing meticulous records for each spam bot. More specifically, the botnet controllers maintain detailed statistics per infected machine (identified via a unique IP address) in order to measure the effectiveness of their spam campaigns. We found that a spammer’s job is complicated by a number of factors including invalid email addresses, SMTP errors, and blacklisting. As a result, the amount of spam that was actually delivered (i.e., accepted by mail servers) was only around 30.3%, and the actual volume was likely much less after client-side spam filters are taken into account. This delivery rate is slightly higher than the 25% delivery rate of the Storm botnet,” the researchers–Thorsten Holz, Stone-Gross, Gianluca Stringhini and Giovanni Vigna–wrote in the paper, which they will deliver at the LEET ’11 workshop in Boston later this month.

“Overall, records contained on these Cutwail servers dated as far back as June 2009 and reported 516,852,678,718 messages were accepted for delivery out of a total of 1,708,054,952,020 attempts. Note that we obtained roughly one-half to two-thirds of the active Cutwail C&C servers, so the overall numbers are likely higher.”

The Cutwail/Pushdo botnet is one of the more well-known and well-researched botnets in operation right now, and several different groups of researchers have attempted to disrupt its operations or take it down completely, with varying degrees of success. A takedown operation spearheaded by researchers at FireEye last year had a large effect on the volume of spam sent by Cutwail bots, but the effect was temporary. Within a few months of the takedown, which involved removing a slew of C&C servers from the loop, spam levels from Cutwail were climbing again.

The researchers at Last Line of Defense and UCSB distinguished between the two individual components of the botnet: Cutwail, which is the actual bot; and Pushdo, which is a separate Trojan that often is used to download Cutwail on compromised PCs. Many bot-infected PCs are compromised initially through a drive-by download, and attackers will then often sell access to those machines to other groups, including spammers, who will install their own malware and spam engines such as Cutwail and get to work.

The analysis of Cutwail’s innerworkings revealed that during a one-month period, there were an average of slightly more than 121,000 Cutwail bots online on any given day. The prices that spammers are paid for their services vary widely, as do the prices that they pay for the bots, templates and email lists they use. But the Cutwail analysis gives a snapshot of how much money is involved in a large-scale operation.

“Thus, the Cutwail operators may have paid between $1,500 and $15,000 on a recurring basis to grow and maintain their botnet (assuming they did not develop their own loads system). If we estimate the value of the largest email address list (containing over 1,596,093,833 unique records) from advertised prices, it is worth approximately $10,000–$20,000. Finally, we estimate the Cutwail gang’s profit for providing spam services at roughly $1.7 million to $4.2 million since June 2009 (contingent on whether bulk discounts were provided to customers),” the researchers wrote.

Not a bad profit for a crew that has shown itself to be quite resourceful and resilient in bouncing back from frontal assaults by researchers and law enforcement over the last couple of years. And despite the work done by Stone-Gross and his colleagues, it’s likely that Cutwail will again regain its strength in the near future.

“If there’s a market for it, and there’s money in it, they’re going to keep doing it, because the risk is low,” Stone-Gross said.

Categories: Data Breaches, Malware, SMB Security, Web Security

Comments (2)

  1. Another thought...
    1

    Perhaps overall, people just don’t understand that SPAM should never be opened ? I mean really, what other possible explination could there be ???

    ( BE POLITE) !!!!!!!!!!!!!!!!!

Comments are closed.