Menu
Pushdo spamming botnet gains strength again

Pushdo spamming botnet gains strength again

The botnet has infected computers in more than 50 countries by changing its infection tactics

Computers in more than 50 countries are infected with a new version of Pushdo, a spamming botnet that has been around since 2007 and survived several attempts to shut it down.

At one time, Pushdo-infected computers sent as many as 7.7 billion spam messages per day. Security analysts have tried to kill it four times by commandeering its infrastructure, but a new version of the malware has emerged once again, with high concentrations of infections in countries such as India, Indonesia, Turkey and Vietnam.

"Pushdo was very successful in what it did, so coming up with various revisions or versions of it makes a lot of sense for the bad guys," said Mike Buratowski, vice president of cybersecurity services at Fidelis Cybersecurity, based in Austin, Texas.

The latest version has been pushing Fareit, which is malware that steals login credentials, and Cutwail, a spam engine module. It has also been used to distribute online banking menaces such as Dyre and Zeus.

Part of what has made Pushdo so resilient is its frequently changing command-and-control system, which is used to issue instructions to an infected PC, such as uploading spam templates.

Pusho-infected computers contact a primary command-and-control server, but if that fails, they fall back to a secondary system, Buratowski said.

Using an elaborate algorithm, the secondary system generates 30 domains names a day that an infected computer can try to contact, according to an advisory on Fidelis's blog. Fidelis reverse-engineered the algorithm that generates those domain names, allowing it to register some of the domains.

That process, known as sinkholing, let Fidelis see the scope of Pushdo infections across the world because some infected computers call on those domains. Most end in ".kz," the country code top level domain for Kazakhstan.

It took a significant amount of effort and expertise to do that, Buratowski said. But Fidelis has now been able to create a set of Yara rules that administrators can put into their network perimeter devices to block computers from visiting those domains. Fidelis has calculated all the domains that this version of Pushdo intends to use throughout this year.

Although it appears that unpatched consumer computers are most at risk from Pushdo, Buratowski said his company has seen some infections in enterprises.

In the past, Pushdo has been distributed through spam and drive-by download attacks, which are Web-based attacks that look for software vulnerabilities on a person's computer. It has also occasionally been installed by other botnets as part of pay-per-install cybercriminal affiliate schemes.

The security industry has tried to shut down Pushdo four times during the last seven years, but those efforts only resulted in temporary disruptions.

In 2010, Lastline, a security company composed of researchers from Institute Eurecom in France, the University of California at Santa Barbara and others, contacted ISPs hosting some of Pushdo's command-and-control servers to get them shut down.

Many of the ISPs cut off connectivity to the servers, which caused a sudden drop in Pushdo's spam output. ISPs also made an effort to contact customers whose computers were infected. However, researchers were wary of declaring victory, and rightly so.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags antispamLastLineFidelis

Brand Post

Featured

Slideshows

Reseller News Innovation Awards 2019: meet the winners

Reseller News Innovation Awards 2019: meet the winners

Reseller News honoured the standout players of the New Zealand channel in front of more than 480 technology leaders in Auckland on 23 October, recognising the achievements of top partners, emerging entrants and innovative start-ups.

Reseller News Innovation Awards 2019: meet the winners
Malwarebytes shoots the breeze with channel, prospects

Malwarebytes shoots the breeze with channel, prospects

A Kumeu, Auckland, winery was the venue for a Malwarebytes event for partner and prospect MSPs - with some straight shooting on the side. The half-day getaway, which featured an archery competition, lunch and wine-tasting aimed at bringing Malwarebytes' local New Zealand and top and prospective MSP partners together to celebrate recent local successes, and discuss the current state of malware in New Zealand. This was also a unique opportunity for local MSPs to learn about how they can get the most out of Malwarebytes' MSP program and offering, as more Kiwi businesses are targeted by malware.

Malwarebytes shoots the breeze with channel, prospects
Show Comments