A botnet responsible for a significant amount of spam has been crippled but may reconstitute itself in a matter of weeks, according to vendor M86 Security. The Pushdo or Cutwail network of hacked computers ranked in the top five or so botnets for spam, responsible for as much as 10 percent of all spam, said Ed Rowley, product manager for M86 Security. The spam often advertises fake software, so-called designer goods and questionable pharmaceutical products.
But security analysts with the computer security company LastLine took action last week, contacting ISPs that were hosting the command-and-control infrastructure for the botnet. About 30 servers at eight hosting providers were found to be supporting Pushdo. LastLine contacted the ISPs, and about 20 of the servers were taken offline, according to its blog. Some ISPs, however, were unresponsive.
Spam levels have dropped, Rowley said. LastLine's action "will almost certainly have a positive effect for two to three weeks," Rowley said. But "the spammers will be able to find other hosting providers where they will be able to get their systems up and running."
LastLine appears to have taken down parts of Pushdo and Cutwail, which work together, wrote Atif Mushtaq of FireEye's Malware Intelligence Lab, in a blog post. Pushdo is a Trojan. Once it infects a computer, it often downloads Cutwail, a piece of malware capable of spamming as well as downloading other bad programs.
Mushtaq confirmed LastLine's success. "After identifying the botnets in question it was very easy for me to go through my botlab logs and try to find leftover command and control servers. There was no doubt that many of the CnC servers were null routed. But as mentioned by LastLine, there were still some servers which were active and serving contents," he wrote.
And it's those active servers that remain a concern. As long as those servers are able to eventually contact the computers infected with Pushdo, it will be possible to resume spamming.
Pushdo has the ability to generate random domain names. If those domains are registered and activated, the botnet controllers can send new instructions to the hacked machines. "Either way, they'll be up and at it again in the near future," Rowley said.