Menu
Pushdo spamming botnet gains strength again

Pushdo spamming botnet gains strength again

The botnet has infected computers in more than 50 countries by changing its infection tactics

Computers in more than 50 countries are infected with a new version of Pushdo, a spamming botnet that has been around since 2007 and survived several attempts to shut it down.

At one time, Pushdo-infected computers sent as many as 7.7 billion spam messages per day. Security analysts have tried to kill it four times by commandeering its infrastructure, but a new version of the malware has emerged once again, with high concentrations of infections in countries such as India, Indonesia, Turkey and Vietnam.

"Pushdo was very successful in what it did, so coming up with various revisions or versions of it makes a lot of sense for the bad guys," said Mike Buratowski, vice president of cybersecurity services at Fidelis Cybersecurity, based in Austin, Texas.

The latest version has been pushing Fareit, which is malware that steals login credentials, and Cutwail, a spam engine module. It has also been used to distribute online banking menaces such as Dyre and Zeus.

Part of what has made Pushdo so resilient is its frequently changing command-and-control system, which is used to issue instructions to an infected PC, such as uploading spam templates.

Pusho-infected computers contact a primary command-and-control server, but if that fails, they fall back to a secondary system, Buratowski said.

Using an elaborate algorithm, the secondary system generates 30 domains names a day that an infected computer can try to contact, according to an advisory on Fidelis's blog. Fidelis reverse-engineered the algorithm that generates those domain names, allowing it to register some of the domains.

That process, known as sinkholing, let Fidelis see the scope of Pushdo infections across the world because some infected computers call on those domains. Most end in ".kz," the country code top level domain for Kazakhstan.

It took a significant amount of effort and expertise to do that, Buratowski said. But Fidelis has now been able to create a set of Yara rules that administrators can put into their network perimeter devices to block computers from visiting those domains. Fidelis has calculated all the domains that this version of Pushdo intends to use throughout this year.

Although it appears that unpatched consumer computers are most at risk from Pushdo, Buratowski said his company has seen some infections in enterprises.

In the past, Pushdo has been distributed through spam and drive-by download attacks, which are Web-based attacks that look for software vulnerabilities on a person's computer. It has also occasionally been installed by other botnets as part of pay-per-install cybercriminal affiliate schemes.

The security industry has tried to shut down Pushdo four times during the last seven years, but those efforts only resulted in temporary disruptions.

In 2010, Lastline, a security company composed of researchers from Institute Eurecom in France, the University of California at Santa Barbara and others, contacted ISPs hosting some of Pushdo's command-and-control servers to get them shut down.

Many of the ISPs cut off connectivity to the servers, which caused a sudden drop in Pushdo's spam output. ISPs also made an effort to contact customers whose computers were infected. However, researchers were wary of declaring victory, and rightly so.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags antispamLastLineFidelis

Featured

Slideshows

Reseller News Platinum Club celebrates leading partners in 2019

Reseller News Platinum Club celebrates leading partners in 2019

The leading players of the New Zealand channel came together to celebrate a year of achievement at the annual Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months.

Reseller News Platinum Club celebrates leading partners in 2019
Reseller News hosts alumnae breakfast for Women in ICT Awards

Reseller News hosts alumnae breakfast for Women in ICT Awards

Reseller News hosted its second annual alumnae breakfast for the Women in ICT Awards in New Zealand, designed to showcase the leading female leaders in the industry. Held at The Cordis in Auckland, attendees came together to hear inspiring keynotes and panel discussions, alongside high-level networking among peers. Photos by Gino Demeer.

Reseller News hosts alumnae breakfast for Women in ICT Awards
Reseller News Innovation Awards 2019: meet the winners

Reseller News Innovation Awards 2019: meet the winners

Reseller News honoured the standout players of the New Zealand channel in front of more than 480 technology leaders in Auckland on 23 October, recognising the achievements of top partners, emerging entrants and innovative start-ups.

Reseller News Innovation Awards 2019: meet the winners
Show Comments