Pushdo spamming botnet gains strength again

The botnet has infected computers in more than 50 countries by changing its infection tactics

Computers in more than 50 countries are infected with a new version of Pushdo, a spamming botnet that has been around since 2007 and survived several attempts to shut it down.

At one time, Pushdo-infected computers sent as many as 7.7 billion spam messages per day. Security analysts have tried to kill it four times by commandeering its infrastructure, but a new version of the malware has emerged once again, with high concentrations of infections in countries such as India, Indonesia, Turkey and Vietnam.

"Pushdo was very successful in what it did, so coming up with various revisions or versions of it makes a lot of sense for the bad guys," said Mike Buratowski, vice president of cybersecurity services at Fidelis Cybersecurity, based in Austin, Texas.

The latest version has been pushing Fareit, which is malware that steals login credentials, and Cutwail, a spam engine module. It has also been used to distribute online banking menaces such as Dyre and Zeus.

Part of what has made Pushdo so resilient is its frequently changing command-and-control system, which is used to issue instructions to an infected PC, such as uploading spam templates.

Pusho-infected computers contact a primary command-and-control server, but if that fails, they fall back to a secondary system, Buratowski said.

Using an elaborate algorithm, the secondary system generates 30 domains names a day that an infected computer can try to contact, according to an advisory on Fidelis's blog. Fidelis reverse-engineered the algorithm that generates those domain names, allowing it to register some of the domains.

That process, known as sinkholing, let Fidelis see the scope of Pushdo infections across the world because some infected computers call on those domains. Most end in ".kz," the country code top level domain for Kazakhstan.

It took a significant amount of effort and expertise to do that, Buratowski said. But Fidelis has now been able to create a set of Yara rules that administrators can put into their network perimeter devices to block computers from visiting those domains. Fidelis has calculated all the domains that this version of Pushdo intends to use throughout this year.

Although it appears that unpatched consumer computers are most at risk from Pushdo, Buratowski said his company has seen some infections in enterprises.

In the past, Pushdo has been distributed through spam and drive-by download attacks, which are Web-based attacks that look for software vulnerabilities on a person's computer. It has also occasionally been installed by other botnets as part of pay-per-install cybercriminal affiliate schemes.

The security industry has tried to shut down Pushdo four times during the last seven years, but those efforts only resulted in temporary disruptions.

In 2010, Lastline, a security company composed of researchers from Institute Eurecom in France, the University of California at Santa Barbara and others, contacted ISPs hosting some of Pushdo's command-and-control servers to get them shut down.

Many of the ISPs cut off connectivity to the servers, which caused a sudden drop in Pushdo's spam output. ISPs also made an effort to contact customers whose computers were infected. However, researchers were wary of declaring victory, and rightly so.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags antispamLastLineFidelis

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?