Endpoint
3/14/2011
03:49 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Inside One Of The World's Biggest Botnets

Researchers who temporarily disrupted Cutwail/Pushdo last year now shed light on the botmaster's side of the botnet

Spammers using one of the world's largest botnets only get a third of their messages through -- even so, they still successfully sent nearly 90 billion spam messages in just one month last year using the Cutwail/Pushdo botnet.

In a rare look at the inside operations of one of the world's largest spamming botnets, a group of researchers from LastLine Inc., the University of California-Santa Barbara, and Rur-University Bochum in Germany recently found 2.35 terabytes of data, including billions of target email addresses as well as 24 databases with detailed statistics about the bots and the spam operations. All of that was stored in the 16 servers for the Cutwail/Pushdo botnet they were able to access last August.

Thorsten Holz, senior threat analyst at LastLine and assistant professor of computer science at Ruhr-University Bochum, and his colleagues were working on a research project last year involving various botnets, including Pushdo, MegaD, and Rustock. They were matching infected IP addresses with their respective botnets when they took down some Pushdo C&C servers for their research -- inadvertently shutting down much of the botnet's infrastructure.

But like many botnet takedowns, it was only temporary; Cutwail/Pushdo has since been rebuilt and is now the second-largest botnet in the world , according to data from Joe Stewart, director of malware research for Dell SecureWorks Counter Threat Unit. Cutwail/Pushdo has about 100,000 bots, behind the largest botnet, Rustock, which has a head count of 250,000 bots.

"This whack-a-mole game is a bit disappointing over time. You take one down … and they go rent new ones and infect more people," Holz says.

Meanwhile, Holz and fellow researchers Brett Stone-Gross, Gianluca Stringhini, and Giovanni Vigna have been able to piece together some details of the Cutwail/Pushdo's botnet operation itself. The botnet operators lease out the botnet to spamming groups for spewing spam for online pharmacies, phishing, pornography, money-mule recruitment, and real estate scams. The botnet also is used for spreading malware, such as the Zeus banking Trojan, via infected attachments or links.

And it turns out the botnet operators and their spamming customers have their own technology challenges: Only 30 percent of the botnet's spam is actually delivered to the targeted email server, the researchers discovered. "That's quite a big loss," Holz says. "And even if the mail is received by the targeted mail server, with filtering and SpamAssassin, a large chunk of that 30 percent gets filtered and doesn't necessarily reach the inbox of the user."

Invalid email addresses account for more than half of the delivery failures, 16.9 percent are due to SMTP blacklists, 11.8 percent to SMTP errors, and 11.3 percent to connection timeouts. Around 3.5 percent of mail servers flagged the email as spam.

So to turn a healthy profit, the spammers have to send high volumes of spam. The botnet also provides its users with some quality assurance tools: Each C&C server has its own SpamAssassin filter. Once the spammer has customized his spam using Cutwail's email template, the spam is tested by sending it through SpamAssassin to see if it gets detected. If it does, then it's reworked until it can evade the filter.

They also track the performance of each bot.

From July 30, 2010, to Aug. 25, 2010, Cutwail/Pushdo's database records reveal that the botnet successfully sent 87.7 billion emails. "I was most surprised by the sheer number of emails sent by this one botnet," Holz says. "It turns out this one botnet sent out billions of spam messages."

The researchers also were able to infiltrate a Web forum for spammers and botnet operators called Spamdot.biz, which provided a peek at the methods used by the Cutwail/Pushdo operators and their spammer customers. Cutwail's operators made anywhere from $1.7 million to $4.2 million since June 2009, the researchers wrote in their newly published paper, entitled "The Underground Economy of Spam: A Botmaster's Perspective of Coordinating Large-Scale Spam Campaigns" (PDF).

The largest email address list used for spamming, which contains more than 1.5 billion email addresses, is worth between $10,000 and $20,000, according the researchers.

Meanwhile, nearly 40 percent of all of Cutwail/Pushdo's bots are based in India, followed by Australia (9 percent), Russia (4 percent), Brazil (3 percent), and Turkey (3 percent).

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9676
Published: 2015-02-27
The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free.

CVE-2014-9682
Published: 2015-02-27
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

CVE-2015-0655
Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184.

CVE-2015-0884
Published: 2015-02-27
Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.

CVE-2015-0885
Published: 2015-02-27
checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a -- (dash dash) in a username.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.