Follow Us
RSS FeedSecurity
Pushdo spam botnet damaged by white hats, still alive

Pushdo spam botnet damaged by white hats, still alive

Pushdo/Cutwail command and control servers taken down

By | IDG News Service | Published 13:20,

A botnet responsible for a significant amount of spam has been crippled but may reconstitute itself in a matter of weeks, according to vendor M86 Security. The Pushdo or Cutwail network of hacked computers ranked in the top five or so botnets for spam, responsible for as much as 10 percent of all spam, said Ed Rowley, product manager for M86 Security. The spam often advertises fake software, so-called designer goods and questionable pharmaceutical products.

But security analysts with the computer security company LastLine took action last week, contacting ISPs that were hosting the command-and-control infrastructure for the botnet. About 30 servers at eight hosting providers were found to be supporting Pushdo. LastLine contacted the ISPs, and about 20 of the servers were taken offline, according to its blog. Some ISPs, however, were unresponsive.

Also in this channel
Related Articles
Wikileaks

Wikileaks

Wikileaks - fearless whistleblowers or irresponsible nuisances? Keep up to date with the latest developments. Read more

Spam levels have dropped, Rowley said. LastLine's action "will almost certainly have a positive effect for two to three weeks," Rowley said. But "the spammers will be able to find other hosting providers where they will be able to get their systems up and running."

LastLine appears to have taken down parts of Pushdo and Cutwail, which work together, wrote Atif Mushtaq of FireEye's Malware Intelligence Lab, in a blog post. Pushdo is a Trojan. Once it infects a computer, it often downloads Cutwail, a piece of malware capable of spamming as well as downloading other bad programs.

Mushtaq confirmed LastLine's success. "After identifying the botnets in question it was very easy for me to go through my botlab logs and try to find leftover command and control servers. There was no doubt that many of the CnC servers were null routed. But as mentioned by LastLine, there were still some servers which were active and serving contents," he wrote.

And it's those active servers that remain a concern. As long as those servers are able to eventually contact the computers infected with Pushdo, it will be possible to resume spamming.

Pushdo has the ability to generate random domain names. If those domains are registered and activated, the botnet controllers can send new instructions to the hacked machines. "Either way, they'll be up and at it again in the near future," Rowley said.

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Does remote working affect how often you print?

Question of the day!

Does remote working affect how often you print?


% of Computerworld UK readers agree with you


Yes
TBC
No
TBC

What steps are you taking to address how/when/what you print?

123 characters remaining

Follow the conversation at @Think_Print

ComputerworldUK Knowledge Vault Hover to expand
Advertisement
X ComputerworldUK Share
Newsletter
Open
* *