Following in the footsteps of Lethic, Waledac, Mariposa and Zeus, yet another botnet has been infiltrated and shut down (even if temporary) – Pushdo. Pushdo is a family of malware, and Cutwail is the spamming software that spreads its payload across the Internet. From The Register:
Security researchers have disrupted the botnet known as Pushdo, a coup that over the past 48 hours has almost completely choked the torrent of junkmail from the once-prolific spam network. Researchers from the security intelligence firm LastLine said that they identified a total of 30 servers used as Pushdo command and control channels and managed to get the plug pulled on 20 of them. As a result, the torrent of junkmail spewing from it dropped to almost zero on Thursday, according to figures from M86 Security Labs.
Also known as Cutwail, Pushdo has long maintained a strong presence in the rogues gallery of the security world. It is known for spam that attempts to trick recipients into installing malware and it also excels at hiding itself from intrusion-prevention systems, security researches have said. Its output has varied over the years with estimates as high as 20 percent of the world's spam at some points.
The disruption is good news, but it also highlights the uphill challenge white hats face in severing menaces from the net. Some of the host providers contacted by LastLine ignored the request to disconnect the malicious servers, despite receiving a fair amount of data documenting their bad deeds
My own statistics on Cutwail from March-June 2010 suggests that it was the 3rd largest botnet after Rustock and Lethic. Cutwail more closely resembles Lethic in that it sends a lot of spam to multiple recipients in each email envelope. It still trails Rustock but not by a large margin. In terms of unique IPs, both Cutwail and Lethic had about the same amount, but Lethic sends way more spam per IP than Cutwail does. In terms of country of origin for IPs that are spamming (not C&Cs), I see the following:
- South Korea
- United States
Regarding this particular takedown, typically what tends to occur in instances like these is that the spam operation from a particular source (botnet, ISP, etc) is disrupted for a small period of time. Then, gradually, spam levels return to their former levels. This is because bots that are sending the spam are attempting to call home to their C&Cs but because they cannot connect to anything, there is nothing to do. It’s like a military unit out in the field awaiting orders but radio communications are down at central command.
The botnet operators then have to rebuild their infrastructure. They start sending out new pieces of malware, creating new C&C nodes and send out even more malware to get hosts infected to send out spam. The previous nodes are orphaned unless they have code installed that can phone home and update themselves. Of course, as any programmer knows, writing software that automatically updates is easier said than done. Once this new malware filled with C&C nodes reappears, and new hosts start spamming again, the botnet has rebuilt itself and usually the authors have learned a thing or two from the previous time and have made their code a bit more resilient with some redundancies built it. That’s the unfortunate part of takedowns – they work for a while but the next time it promises to be less easy. You don’t get two McColo’s in a row.