Endpoint
3/14/2011
03:49 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Inside One Of The World's Biggest Botnets

Researchers who temporarily disrupted Cutwail/Pushdo last year now shed light on the botmaster's side of the botnet

Spammers using one of the world's largest botnets only get a third of their messages through -- even so, they still successfully sent nearly 90 billion spam messages in just one month last year using the Cutwail/Pushdo botnet.

In a rare look at the inside operations of one of the world's largest spamming botnets, a group of researchers from LastLine Inc., the University of California-Santa Barbara, and Rur-University Bochum in Germany recently found 2.35 terabytes of data, including billions of target email addresses as well as 24 databases with detailed statistics about the bots and the spam operations. All of that was stored in the 16 servers for the Cutwail/Pushdo botnet they were able to access last August.

Thorsten Holz, senior threat analyst at LastLine and assistant professor of computer science at Ruhr-University Bochum, and his colleagues were working on a research project last year involving various botnets, including Pushdo, MegaD, and Rustock. They were matching infected IP addresses with their respective botnets when they took down some Pushdo C&C servers for their research -- inadvertently shutting down much of the botnet's infrastructure.

But like many botnet takedowns, it was only temporary; Cutwail/Pushdo has since been rebuilt and is now the second-largest botnet in the world , according to data from Joe Stewart, director of malware research for Dell SecureWorks Counter Threat Unit. Cutwail/Pushdo has about 100,000 bots, behind the largest botnet, Rustock, which has a head count of 250,000 bots.

"This whack-a-mole game is a bit disappointing over time. You take one down … and they go rent new ones and infect more people," Holz says.

Meanwhile, Holz and fellow researchers Brett Stone-Gross, Gianluca Stringhini, and Giovanni Vigna have been able to piece together some details of the Cutwail/Pushdo's botnet operation itself. The botnet operators lease out the botnet to spamming groups for spewing spam for online pharmacies, phishing, pornography, money-mule recruitment, and real estate scams. The botnet also is used for spreading malware, such as the Zeus banking Trojan, via infected attachments or links.

And it turns out the botnet operators and their spamming customers have their own technology challenges: Only 30 percent of the botnet's spam is actually delivered to the targeted email server, the researchers discovered. "That's quite a big loss," Holz says. "And even if the mail is received by the targeted mail server, with filtering and SpamAssassin, a large chunk of that 30 percent gets filtered and doesn't necessarily reach the inbox of the user."

Invalid email addresses account for more than half of the delivery failures, 16.9 percent are due to SMTP blacklists, 11.8 percent to SMTP errors, and 11.3 percent to connection timeouts. Around 3.5 percent of mail servers flagged the email as spam.

So to turn a healthy profit, the spammers have to send high volumes of spam. The botnet also provides its users with some quality assurance tools: Each C&C server has its own SpamAssassin filter. Once the spammer has customized his spam using Cutwail's email template, the spam is tested by sending it through SpamAssassin to see if it gets detected. If it does, then it's reworked until it can evade the filter.

They also track the performance of each bot.

From July 30, 2010, to Aug. 25, 2010, Cutwail/Pushdo's database records reveal that the botnet successfully sent 87.7 billion emails. "I was most surprised by the sheer number of emails sent by this one botnet," Holz says. "It turns out this one botnet sent out billions of spam messages."

The researchers also were able to infiltrate a Web forum for spammers and botnet operators called Spamdot.biz, which provided a peek at the methods used by the Cutwail/Pushdo operators and their spammer customers. Cutwail's operators made anywhere from $1.7 million to $4.2 million since June 2009, the researchers wrote in their newly published paper, entitled "The Underground Economy of Spam: A Botmaster's Perspective of Coordinating Large-Scale Spam Campaigns" (PDF).

The largest email address list used for spamming, which contains more than 1.5 billion email addresses, is worth between $10,000 and $20,000, according the researchers.

Meanwhile, nearly 40 percent of all of Cutwail/Pushdo's bots are based in India, followed by Australia (9 percent), Russia (4 percent), Brazil (3 percent), and Turkey (3 percent).

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web