Menu
Pushdo spamming botnet gains strength again

Pushdo spamming botnet gains strength again

The botnet has infected computers in more than 50 countries by changing its infection tactics

Computers in more than 50 countries are infected with a new version of Pushdo, a spamming botnet that has been around since 2007 and survived several attempts to shut it down.

At one time, Pushdo-infected computers sent as many as 7.7 billion spam messages per day. Security analysts have tried to kill it four times by commandeering its infrastructure, but a new version of the malware has emerged once again, with high concentrations of infections in countries such as India, Indonesia, Turkey and Vietnam.

"Pushdo was very successful in what it did, so coming up with various revisions or versions of it makes a lot of sense for the bad guys," said Mike Buratowski, vice president of cybersecurity services at Fidelis Cybersecurity, based in Austin, Texas.

The latest version has been pushing Fareit, which is malware that steals login credentials, and Cutwail, a spam engine module. It has also been used to distribute online banking menaces such as Dyre and Zeus.

Part of what has made Pushdo so resilient is its frequently changing command-and-control system, which is used to issue instructions to an infected PC, such as uploading spam templates.

Pusho-infected computers contact a primary command-and-control server, but if that fails, they fall back to a secondary system, Buratowski said.

Using an elaborate algorithm, the secondary system generates 30 domains names a day that an infected computer can try to contact, according to an advisory on Fidelis's blog. Fidelis reverse-engineered the algorithm that generates those domain names, allowing it to register some of the domains.

That process, known as sinkholing, let Fidelis see the scope of Pushdo infections across the world because some infected computers call on those domains. Most end in ".kz," the country code top level domain for Kazakhstan.

It took a significant amount of effort and expertise to do that, Buratowski said. But Fidelis has now been able to create a set of Yara rules that administrators can put into their network perimeter devices to block computers from visiting those domains. Fidelis has calculated all the domains that this version of Pushdo intends to use throughout this year.

Although it appears that unpatched consumer computers are most at risk from Pushdo, Buratowski said his company has seen some infections in enterprises.

In the past, Pushdo has been distributed through spam and drive-by download attacks, which are Web-based attacks that look for software vulnerabilities on a person's computer. It has also occasionally been installed by other botnets as part of pay-per-install cybercriminal affiliate schemes.

The security industry has tried to shut down Pushdo four times during the last seven years, but those efforts only resulted in temporary disruptions.

In 2010, Lastline, a security company composed of researchers from Institute Eurecom in France, the University of California at Santa Barbara and others, contacted ISPs hosting some of Pushdo's command-and-control servers to get them shut down.

Many of the ISPs cut off connectivity to the servers, which caused a sudden drop in Pushdo's spam output. ISPs also made an effort to contact customers whose computers were infected. However, researchers were wary of declaring victory, and rightly so.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags FidelisantispamsecurityLastLine

Featured

Slideshows

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Examining the changing job scene in the Kiwi channel

Examining the changing job scene in the Kiwi channel

Typically, the New Year brings new opportunities for personnel within the Kiwi channel. 2017 started no differently, with a host of appointments, departures and reshuffles across vendor, distributor and reseller businesses. As a result, the job scene across New Zealand has changed - here’s a run down of who is working where in the year ahead…

Examining the changing job scene in the Kiwi channel
​What are the top 10 tech trends for New Zealand in 2017?

​What are the top 10 tech trends for New Zealand in 2017?

Digital Transformation (DX) has been a critical topic for business over the last few years and IDC is now predicting a step change as DX reaches macroeconomic levels. By 2020 a DX economy will emerge and it will become the core of what New Zealand industries focus on. From the board level through to the C-Suite, Kiwi organisations must be prepared to think and act digital when the DX economy emerges in 2017.

​What are the top 10 tech trends for New Zealand in 2017?
Show Comments