Researchers have made a huge dent in a major variant of the Pushdo botnet, virtually crippling the network by working with hosting providers to take down about two thirds of the command-and-control servers involved in the botnet.

Pushdo for years has been one of the major producers of spam and other malicious activity, and researchers have been monitoring the botnet and looking for ways to do some damage to it since at least 2007. Now, researchers at Last Line of Defense, a security intelligence firm, have made some serious progress in crushing the botnet’s spam operations.

After doing an analysis of Pushdo’s command-and-control infrastructure, the researchers identified about 30 servers that were serving as C&C machines for a variant of the botnet. Working with the hosting providers who maintained the servers in question, the LLOD researchers were able to get 20 of the C&C servers taken offline, the company said.

Recommended Reads

• Researchers Cripple Pushdo Botnet
• New Storm Botnet Variant Making Spam
• Where Are We A Year After McColo Shutdown?

“We identified a total of 30 servers used as part of the Pushdo/Cutwail infrastructure, located at eight different hosting providers all over the world. The information about the activity was extracted from Anubisreports, which contain details about the system and network activities, including a pcap file that contains the network traffic we observed while doing the analysis. We contacted all hosting providers and worked with them on taking down the machines, which lead to the take-down of almost 20 servers. Unfortunately, not all providers were responsive and thus several Command & Control servers are still online at this point,” researcher Thorsten Holz wrote.

The result is that the volume of spam that Pushdo is producing has dropped to nearly zero.

At the time of Pushdo’s appearance several years ago, researchers found evidence that Pushdo’s creators had gone to some lengths to avoid detection and prevent removal of the malware associated withthe botnet. The creators had changed the way that Pushdo made HTTP requests, creating overly long GET requests to make them less identifiable.

“The length of the request will likely change between different service pack levels of Windows. IDS/IPS signatures can still be written around such a request, taking advantage of the fact that no other HTTP headers are sent as one characteristic to key in on. However, even with this approach, false positives may still occur,” SecureWorks researcher Joe Stewart wrote in an analysis in 2007. “Clearly the author of Pushdo is intent on evading detection for as long as possible, in order to have the maximum amount of time to seed Cutwail spambots into the wild.”

One of the interesting aspects of the original version of Pushdo is that its creator was using it not just to send spam, but also to spread other pieces of malware. This has become a more common business model in recent years as bot herders have looked for new ways to make money from the millions of compromised PCs under their control.

The original post is available at ThreatPost

Spam volume graph from M86 Security Labs.

The Article:

Consumers Don

]]> http://www.thespamcryer.com/millions-continue-to-click-on-spam/feed/ 0 http://www.thespamcryer.com/the-top-10-botnets/ http://www.thespamcryer.com/the-top-10-botnets/#comments Tue, 09 Mar 2010 18:01:09 +0000 Shaun http://www.thespamcryer.com/?p=270 Michael Kassner wrote an interesting article on “The Top 10 Botnets: New and Improved” and it looked at the most prolific botnets on the planet. Here is information from his original post:

• Date: February 25th, 2010
• Author: Michael Kassner

Latest reports have spam accounting for more than 95 percent of all email messages. You can thank botnets for most of that. Here

]]> http://www.thespamcryer.com/the-top-10-botnets/feed/ 1 http://www.thespamcryer.com/which-botnet-sends-the-most-spam-p-3/ http://www.thespamcryer.com/which-botnet-sends-the-most-spam-p-3/#comments Fri, 05 Mar 2010 17:55:20 +0000 Shaun http://www.thespamcryer.com/?p=268 Terry Zink looks at botnets, and if there’s a way to determine which sends the most spam. This is part 3 of his series.

original post:

In part 1 of my series, I looked at which botnet sends the most spam, by total number of messages sent at the recipient level and not the envelope level. In part 2, I looked at which one sends the most spam by total amount of bytes that they emit. Now, I

]]> http://www.thespamcryer.com/which-botnet-sends-the-most-spam-p-3/feed/ 0 http://www.thespamcryer.com/which-botnet-sends-the-most-spam-p-2/ http://www.thespamcryer.com/which-botnet-sends-the-most-spam-p-2/#comments Wed, 03 Mar 2010 17:54:14 +0000 Shaun http://www.thespamcryer.com/?p=265 We recently posted the first of three articles by Terry Zink that look at botnets, and explores if there’s a way to determine which one sends the most spam

original post:

Following up from my previous post, there are a couple of ways to measure which botnet sends the most spam. On the one hand, botnets can send 1 spam message but address it to a lot of different recipients, thus putting the cost of delivery heavily onto the recipient. This means that the spammer can have a small amount of nodes and the recipient has to assume the overhead of splitting the message up and delivery to multiple recipients. On the other hand, a botnet can be very wide and send a lot of messages to a lot of different people, but only address each message to one recipient. In this case, the overhead of delivery is shifted onto the sender since the spammer/botnet has to support and maintain a lot of different nodes.

But the total number of messages is only one way of looking at it. What about the total size of the message? If one botnet sends a 10 messages at 30 kb each, and other sends 100 messages at 3 kb each, the way we measure who sends the most spam varies. They are each sending the same amount of data. Regarding the 10 botnets I have been tracking this month, below is the botnet and the average size per message in kb that they send:

From here, we can see that cutwail1/2 send very large messages, and combining that with my previous post, we can see that they send a lot of messages per email envelope and the messages tend to be quite large. Cutwail imposes a very large strain onto the overall Internet infrastructure. Rustock, conversely, remains very hard to detect in terms of its footprint. It sends on average 1 message per email envelope, and these messages are quite small.

Lethic sends lots of messages per email, but the messages are small. Gheg doesn

]]> http://www.thespamcryer.com/which-botnet-sends-the-most-spam-p-2/feed/ 0 http://www.thespamcryer.com/which-botnet-sends-the-most-spam/ http://www.thespamcryer.com/which-botnet-sends-the-most-spam/#comments Wed, 03 Mar 2010 17:32:44 +0000 Shaun http://www.thespamcryer.com/?p=262 This blog posting by Terry Zink is an interesting one that looks at botnets, and how to tell which one sends the most spam.

original post:

Around the Internet, and even on this blog, various analyses have been done on botnets and which one is responsible for sending the most spam. Whether it

]]> http://www.thespamcryer.com/which-botnet-sends-the-most-spam/feed/ 0 http://www.thespamcryer.com/stimulus-packages-stock-brokers-and-trojans-oh-my/ http://www.thespamcryer.com/stimulus-packages-stock-brokers-and-trojans-oh-my/#comments Tue, 03 Mar 2009 18:06:16 +0000 Shaun http://www.thespamcryer.com/?p=210

]]> http://www.thespamcryer.com/stimulus-packages-stock-brokers-and-trojans-oh-my/feed/ 0 http://www.thespamcryer.com/ms09-002-exploit-in-the-wild/ http://www.thespamcryer.com/ms09-002-exploit-in-the-wild/#comments Thu, 19 Feb 2009 18:57:51 +0000 Shaun http://www.thespamcryer.com/?p=201 The Internet Storm Center is reporting that several AV vendors have confirmed that the recently patched IE 7 vulnerability (MS-09-002 Uninitialized Memory Corruption) has been reverse engineered by the malware writers (so quickly!) and that we can expect them to be trying to infect your PC

]]> http://www.thespamcryer.com/ms09-002-exploit-in-the-wild/feed/ 0 http://www.thespamcryer.com/are-you-ready-to-see-your-spam-volume-jump-10-times/ http://www.thespamcryer.com/are-you-ready-to-see-your-spam-volume-jump-10-times/#comments Mon, 26 Jan 2009 20:41:08 +0000 Shaun http://www.thespamcryer.com/?p=185 It took less than 3 months for the Spammers to ramp up their production to 90% of where it was pre-McColo takedown in November 2008 according to a number of reports and graphs available online.

The first report is from Message Labs and it reports that with spam volume up another 5% so far in January 2009 the top 10 Botnets, while consisting of between 10 thousand to 1 Million bots (estimated), were capable of sending out between 131 Million to almost 40 BILLION Spam messages PER DAY per Botnet. Total Volume from just the top 10 Botnets totalled almost 65 Billion messages per day! Are you getting your fair share?

It is interesting to see that the largest Botnet Cutwail/Pandex placed second behind Mega-D/Ozdok in spam volume per day category (7 Billion to 38 Billion) even though it had more compromised PC

]]> http://www.thespamcryer.com/are-you-ready-to-see-your-spam-volume-jump-10-times/feed/ 0 http://www.thespamcryer.com/lance-atkinson-fined/ http://www.thespamcryer.com/lance-atkinson-fined/#comments Tue, 23 Dec 2008 19:22:11 +0000 Shaun http://www.thespamcryer.com/?p=176 Lance Atkinson, a prolific spammer since 2005 as part of ‘HerbalKing’ the ‘#1 worst spam gang of 2007, 2008′ according to the Spamhaus ROKSO list has been fined only $92,715 AUS (about $63,400 USD) by authorities because, according to Justice Christine French of the High Court in Christchurch, of the co-operation and candor of Lance in the early stages of the investigation.

This is in contrast to the 2.2 Million dollar USD fine assessed against Atkinson by the FTC in 2005.

The Spamhaus article points out that Australia has very strict anti-spam laws
(http://scaleplus.law.gov.au/html/ems/0/2003/0/2003092501.htm) and the maximum fines for a ‘body corporate with a prior record’ could be as high as 1.1 million (AUS) or $220,000 (AUS) for ‘a individual with prior record’, just for sending the spam messages.

If you add in the maximum fines for not including accurate sender information ($550,000 corporate / $110,000 personal) for not having a functional unsubscribe facility ($550,000 corporate / $110,000 personal) and supplying, acquiring and using address-harvesting software or harvested-address lists ($550,000 corporate / $110,000 personal) these fines could have been much higher for Lance.

Sydney Morning Herald.
http://www.smh.com.au/news/technology/security/kiwis-nail-big-time-spammer/2008/12/22/1229794316883.html

Herbal King
http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7802

While this is great that Lance has been fined if we take a step back and look at the bigger picture we have to ask. If fines worked why didn’t Lance and the whole Herbal King group stop spamming in 2005?

While the laws applied in this particular case are very strict they have not stopped the flow of spam. It looks like one solution may be to add confinement in addition to the monetary fines for repeat spammers with additional time for repeat offences similar to how other criminals are treated.

While the botnets are very automated and will continue for a while after the masters are incarcerated eventually with no new commands the botnets will go dark.

But what do I know? Your thoughts on this issue?

- Shaun

]]> http://www.thespamcryer.com/lance-atkinson-fined/feed/ 0