Infiltrating the Pushdo Botnet

By Atif Mushtaq, FireEyeIt’s very rare that we researchers get
a chance to explore the inner workings of a botnet command and control
server.  Detailed insight into the botnet server or command component
can give us valuable information about the motives of the botnet and
possibly the bad guys behind it. But granting access to these command
and control servers often depends on the will of the hosting providers.
So what happened in this case?

It’s very rare that we researchers get
a chance to explore the inner workings of a botnet command and control
server.  Detailed insight into the botnet server or command component
can give us valuable information about the motives of the botnet and
possibly the bad guys behind it. But granting access to these command
and control servers often depends on the will of the hosting providers.
So what happened in this case?

Recently, while I was casually
monitoring logs from our MAX network to find out the current geo locations for Pushdo CnCs, I got these results for the last 30 days.

 

SOFTLAYER TECHNOLOGIES INC, USA

74.86.100.156
74.86.100.158
74.86.198.178
74.86.100.157
74.86.187.242

LIMESTONE NETWORKS INC, USA

216.245.203.122
216.245.213.194
216.245.219.202
69.162.90.170
69.162.68.114
69.162.90.130
69.162.92.162
69.162.104.250
69.162.84.186
69.162.113.18

LEASEWEB, NETHERLANDS

94.75.233.172
94.75.233.171
94.75.233.163

THEPLANET.COM INTERNET SERVICES INC, USA

74.54.77.82

VRTSERVERS INC

70.36.100.42

Seeing SoftLayer in the above ISP list was something which made me
quite excited. SoftLayer has a good history of dealing with abuse
requests so I knew that taking these servers offline would not be a big
deal.  But this time I was hoping for something more.  Keeping in mind
the good relationship between FireEye and SoftLayer, we requested that
they grant us access to one of the CnCs.  Nick Hale from the SoftLayer
abuse department responded very quickly based on evidence provided by
FireEye, and made a decision to give us access to this notorious server
for a limited time before shutting down all the cnc servers. Before we
get into the details of what was discovered, I’d like to take a moment
to thank SoftLayer, and especially Nick Hale, who offered full
cooperation on the matter.  More actions like this from victimized ISPs
will definitely keep the bad guys on their toes.

Apart from all this, an interesting thing we noticed was that the
C&C servers hosted at other providers were also down the next day.
This is probably a combination of the providers shutting them down or
the bad guys abandoning the servers (as a result of the C&C
shutdown at Softlayer). As of Jan 18, 2010.  All of the US servers
mentioned above are shutdown. Only two servers located in ‘Netherlands’
are still up and running at the time of writing this article.

These are the live servers:

94.75.233.172
94.75.233.171

WHOIS for 94.75.233.172 is like this:

inetnum:   94.75.233.0 – 94.75.233.255
netname:   LEASEWEB
descr:     LeaseWeb
descr:     P.O. Box 93054
descr:     1090BB AMSTERDAM
descr:     Netherlands
descr:     www.leaseweb.com
remarks:   Please send email to “abuse@leaseweb.com” for complaints
remarks:   regarding portscans, DoS attacks and spam.
remarks:   assignment LEASEWEB 20080723
country:   NL
admin-c:   LSW1-RIPE
tech-c:    LSW1-RIPE
status:    ASSIGNED PA

mnt-by:    LEASEWEB-MNT

source:    RIPE # Filtered

Back to the real story.  Infiltrating Pushdo was not something to do
simply for the sake of fun.  There was some serious motivation behind
all this.

Motive # 1

Grab the server component and all related files. This information was essential to understand this botnet’s internals.

Motive # 2

Try to investigate who are the guys behind Pushdo, including their
origin and business model. According to Soflayer records these server
were  based out of Germany (Berlin). Softlayer provided us with further
details such as company and name of registered owner. A quick search on
Google for those did not reveal anything meaningful.  It’s not a
surprise since these guys normally use stolen credit cards for
purchasing such servers, leaving no clue behind.

What I found inside Pushdo’s CnC? What was running as a CnC server?
Did I get any clues abut the guys behind? I would like to discuss all
this in my next article. Stay tuned..

This post originally appeared on the FireEye Malware Intelligence Lab blog.

Suggested articles