There has recently been a huge win against the PushDo botnet by reseachers, who have severely crippled the network. The article below is from ThreatPost, and there's a link to the full article below. Researchers have made a huge dent in a major variant of the Pushdo botnet, virtually crippling the network by working with hosting providers to take down about two thirds of the command-and-control servers involved in the botnet. Pushdo for years has been one of the major producers of spam and other malicious activity, and researchers have been monitoring the botnet and looking for ways to do some damage to it since at least 2007. Now,
researchers at Last Line of Defense, a security intelligence firm, have made some serious progress in crushing the botnet's spam operations. After doing an analysis of Pushdo's command-and-control infrastructure, the researchers identified about 30 servers that were serving as C&C machines for a variant of the botnet. Working with the hosting providers who maintained the servers in question, the LLOD researchers were able to get 20 of the C&C servers taken offline, the company said.
Recommended Reads
"We identified a total of
30 servers used as part of the Pushdo/Cutwail infrastructure, located at eight different hosting providers all over the world. The information about the activity was extracted from
Anubisreports, which contain details about the system and network activities, including a pcap file that contains the network traffic we observed while doing the analysis. We contacted all hosting providers and worked with them on taking down the machines, which lead to the
take-down of almost 20 servers. Unfortunately, not all providers were responsive and thus several Command & Control servers are still online at this point," researcher Thorsten Holz wrote. The result is that the volume of spam that Pushdo is producing has dropped to nearly zero.
At the time of Pushdo's appearance several years ago, researchers found evidence that Pushdo's creators had gone to some lengths to avoid detection and prevent removal of the malware associated withthe botnet. The creators had changed the way that Pushdo made HTTP requests, creating overly long GET requests to make them less identifiable. "The length of the request will likely change between different service pack levels of Windows. IDS/IPS signatures can still be written around such a request, taking advantage of the fact that no other HTTP headers are sent as one characteristic to key in on. However, even with this approach, false positives may still occur," SecureWorks researcher Joe Stewart wrote in an analysis in 2007. "Clearly the author of Pushdo is intent on evading detection for as long as possible, in order to have the maximum amount of time to seed Cutwail spambots into the wild." One of the interesting aspects of the original version of Pushdo is that its creator was using it not just to send spam, but also to spread other pieces of malware. This has become a more common business model in recent years as bot herders have looked for new ways to make money from the millions of compromised PCs under their control. The original post is available at
ThreatPost Spam volume graph from M86 Security Labs.
No comments:
Post a Comment