A few days after the majority of the command-and-control servers belonging to one of the variants of the Pushdo botnet were taken offline, some researchers say that there are indications that portions of the botnet are back to their old tricks, downloading new spam templates for a resumption of spam operations.
The research team at FireEye did a follow-up analysis of the results of takedown effort led by researchers at Last Line of Defense last week, and found that the variant of the botnet that was targeted by the takedown is already showing signs of life again. The takedown effort was aimed at Pushdo.D, the most recent variant of the botnet, which is used in many cases to download a second piece of malware known as Cutwail, which is the program used for the spam operations.
Pushdo, like a lot of modern botnets, is not simply one monolithic
network; it’s split into several different pieces and almost certainly
isn’t controlled by one person or group. Bot herders often will rent or
sell off pieces of their networks to other attackers, and the creators
of bot programs typically will sell their software to all comers. So the
end result is several different networks all using similar software
with the same name that get lumped together.
The researchers at Last Line of Defense worked with hosting providers to take down 20 of the roughly 30 known C&C servers that the company was able to identify. Their analysis afterward showed that the volume of spam coming from Pushdo after the take down was approaching zero.
But within a couple of days, the researchers at FireEye started seeing that Cutwail was starting to download new spam templates from one of the known C&C servers that is still online. Pushdo and Cutwail, unlike some other bots and pieces of malware, have a hard-coded list of IP addresses for C&C servers, so the number of servers it can connect to is finite. However, some of the C&C servers Cutwail uses are legitimate servers that have been compromised, which makes blackholing them more problematic.
“Keeping all these factors in mind I can speculate that we most
probably won’t see the bot masters doing a desperate attempt to move to
new CnCs. There is no rush as Pushdo backup servers are still up and
running. They will likely wait for a while until things calm down. In
the meantime they will try to find new CnC servers aiming for a silent
update of infected systems. The success or failure of this recovery
attempt (if any) will depend on the community’s follow up after this
shutdown attempt. Pushdo’s backup servers are still alive so we need to
keep an eye on Pushdo for some time like we did back in past when
Rustock and Srizbi tried to escape,” FireEeye researcher Atif Mushtaq said in his analysis of the Pushdo takedown.
“It’s very likely that Pushdo, after this third shutdown attempt,
would start following a Koobface like CnC architecture. Koobface mostly
uses compromised legitimate web servers as the front end CnCs keeping
minimal dedicated servers as a backup, located in countries like China
and Russia. That’s the main reason that so far no real attempt has been
made to shut down it. As a matter of fact, the concept of keeping some
backup servers outside US can also been seen even now from above list,
where most of the Pushdo CnCs left alive are outside USA.”