Pushdo spamming botnet gains strength again

At one time, Pushdo-infected computers sent as many as 7.7 billion spam messages per day. Security analysts have tried to kill it four times by commandeering its infrastructure, but a new version of the malware has emerged once again, with high concentrations of infections in countries such as India, Indonesia, Turkey and Vietnam.

"Pushdo was very successful in what it did, so coming up with various revisions or versions of it makes a lot of sense for the bad guys," said Mike Buratowski, vice president of cybersecurity services at Fidelis Cybersecurity, based in Austin, Texas.

The latest version has been pushing Fareit, which is malware that steals login credentials, and Cutwail, a spam engine module. It has also been used to distribute online banking menaces such as Dyre and Zeus.

Part of what has made Pushdo so resilient is its frequently changing command-and-control system, which is used to issue instructions to an infected PC, such as uploading spam templates.

Pusho-infected computers contact a primary command-and-control server, but if that fails, they fall back to a secondary system, Buratowski said.

Using an elaborate algorithm, the secondary system generates 30 domains names a day that an infected computer can try to contact, according to an advisory on Fidelis's blog. Fidelis reverse-engineered the algorithm that generates those domain names, allowing it to register some of the domains.

That process, known as sinkholing, let Fidelis see the scope of Pushdo infections across the world because some infected computers call on those domains. Most end in ".kz," the country code top level domain for Kazakhstan.

It took a significant amount of effort and expertise to do that, Buratowski said. But Fidelis has now been able to create a set of Yara rules that administrators can put into their network perimeter devices to block computers from visiting those domains. Fidelis has calculated all the domains that this version of Pushdo intends to use throughout this year.

Although it appears that unpatched consumer computers are most at risk from Pushdo, Buratowski said his company has seen some infections in enterprises.

In the past, Pushdo has been distributed through spam and drive-by download attacks, which are Web-based attacks that look for software vulnerabilities on a person's computer. It has also occasionally been installed by other botnets as part of pay-per-install cybercriminal affiliate schemes.

The security industry has tried to shut down Pushdo four times during the last seven years, but those efforts only resulted in temporary disruptions.

In 2010, Lastline, a security company composed of researchers from Institute Eurecom in France, the University of California at Santa Barbara and others, contacted ISPs hosting some of Pushdo's command-and-control servers to get them shut down.

Many of the ISPs cut off connectivity to the servers, which caused a sudden drop in Pushdo's spam output. ISPs also made an effort to contact customers whose computers were infected. However, researchers were wary of declaring victory, and rightly so.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk