Researchers Cripple Pushdo Botnet

Researchers have made a huge dent in a major variant of the Pushdo botnet, virtually crippling the network by working with hosting providers to take down about two thirds of the command-and-control servers involved in the botnet.

Researchers have made a huge dent in a major variant of the Pushdo botnet, virtually crippling the network by working with hosting providers to take down about two thirds of the command-and-control servers involved in the botnet.

Pushdo for years has been one of the major producers of spam and other malicious activity, and researchers have been monitoring the botnet and looking for ways to do some damage to it since at least 2007. Now, researchers at Last Line of Defense, a security intelligence firm, have made some serious progress in crushing the botnet’s spam operations.

After doing an analysis of Pushdo’s command-and-control infrastructure, the researchers identified about 30 servers that were serving as C&C machines for a variant of the botnet. Working with the hosting providers who maintained the servers in question, the LLOD researchers were able to get 20 of the C&C servers taken offline, the company said.

“We identified a total of 30 servers used as part of the
Pushdo/Cutwail infrastructure, located at eight different hosting
providers all over the world. The information about the activity was
extracted from Anubis reports,
which contain details about the system and network activities,
including a pcap file that contains the network traffic we observed
while doing the analysis. We contacted all hosting providers and worked
with them on taking down the machines, which lead to the take-down of almost 20 servers.
Unfortunately, not all providers were responsive and thus several
Command & Control servers are still online at this point,” researcher Thorsten Holz wrote.

The result is that the volume of spam that Pushdo is producing has dropped to nearly zero.

At the time of Pushdo’s appearance several years ago, researchers found evidence that Pushdo’s creators had gone to some lengths to avoid detection and prevent removal of the malware associated withthe botnet. The creators had changed the way that Pushdo made HTTP requests, creating overly long GET requests to make them less identifiable.

“The length of the request will likely change between different service
pack levels of Windows. IDS/IPS signatures can still be written around
such a request, taking advantage of the fact that no other HTTP headers
are sent as one characteristic to key in on. However, even with this
approach, false positives may still occur,” SecureWorks researcher Joe Stewart wrote in an analysis in 2007. “Clearly the author of Pushdo is intent on evading detection for as long
as possible, in order to have the maximum amount of time to seed Cutwail
spambots into the wild.”

One of the interesting aspects of the original version of Pushdo is that its creator was using it not just to send spam, but also to spread other pieces of malware. This has become a more common business model in recent years as bot herders have looked for new ways to make money from the millions of compromised PCs under their control.

Spam volume graph from M86 Security Labs.

Suggested articles

Discussion

  • JoeFam on

    So why not publish the identification of the unresponsive providers? Since the truth is an absolute defense against liable cases, there should be no problem as long as one could prove beyond a reasonable doubt that the providers were in fact hosting the botnet.
  • Anonymous on

    "Since the truth is an absolute defense against liable cases"

    I think you meant libel, and the truth is not an absolute defense in Britain, where you can go jurisdiction shopping to pursue your libel cases since their laws heavily favor the plaintiff.

  • David Knell on

    With respect, that's not the case - although there is a certain burden of proof placed on the defendant in a defamation case in the UK to demonstrate that a statement which is claimed to be true actually is.  Which only seems reasonable to me.

  • AnonymousCoward on

    why not publish the identification of the unresponsive providers? That way I could switch and know they wouldn't be messing with my server without talking to me just because some er "researcher" decided they thought it might be some sort of C&C

  • Dennis Fisher on

    That's exactly the problem with publishing that information. Well, one of several. Most of the bad guys with any experience already know which hosting providers won't respond to takedown requests and for anyone who doesn't know, there's no point in helping them figure it out. The other problem is that in *some* cases, the hosting providers involved legitimately don't know that there are C&C servers or trojan drop zones being run out of their data centers. Some do and look the other way, but others don't, simply as a result of ignorance about the way these things operate or a lack of resources to track them.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.