03:49 PM
Connect Directly

Inside One Of The World's Biggest Botnets

Researchers who temporarily disrupted Cutwail/Pushdo last year now shed light on the botmaster's side of the botnet

Spammers using one of the world's largest botnets only get a third of their messages through -- even so, they still successfully sent nearly 90 billion spam messages in just one month last year using the Cutwail/Pushdo botnet.

In a rare look at the inside operations of one of the world's largest spamming botnets, a group of researchers from LastLine Inc., the University of California-Santa Barbara, and Rur-University Bochum in Germany recently found 2.35 terabytes of data, including billions of target email addresses as well as 24 databases with detailed statistics about the bots and the spam operations. All of that was stored in the 16 servers for the Cutwail/Pushdo botnet they were able to access last August.

Thorsten Holz, senior threat analyst at LastLine and assistant professor of computer science at Ruhr-University Bochum, and his colleagues were working on a research project last year involving various botnets, including Pushdo, MegaD, and Rustock. They were matching infected IP addresses with their respective botnets when they took down some Pushdo C&C servers for their research -- inadvertently shutting down much of the botnet's infrastructure.

But like many botnet takedowns, it was only temporary; Cutwail/Pushdo has since been rebuilt and is now the second-largest botnet in the world , according to data from Joe Stewart, director of malware research for Dell SecureWorks Counter Threat Unit. Cutwail/Pushdo has about 100,000 bots, behind the largest botnet, Rustock, which has a head count of 250,000 bots.

"This whack-a-mole game is a bit disappointing over time. You take one down … and they go rent new ones and infect more people," Holz says.

Meanwhile, Holz and fellow researchers Brett Stone-Gross, Gianluca Stringhini, and Giovanni Vigna have been able to piece together some details of the Cutwail/Pushdo's botnet operation itself. The botnet operators lease out the botnet to spamming groups for spewing spam for online pharmacies, phishing, pornography, money-mule recruitment, and real estate scams. The botnet also is used for spreading malware, such as the Zeus banking Trojan, via infected attachments or links.

And it turns out the botnet operators and their spamming customers have their own technology challenges: Only 30 percent of the botnet's spam is actually delivered to the targeted email server, the researchers discovered. "That's quite a big loss," Holz says. "And even if the mail is received by the targeted mail server, with filtering and SpamAssassin, a large chunk of that 30 percent gets filtered and doesn't necessarily reach the inbox of the user."

Invalid email addresses account for more than half of the delivery failures, 16.9 percent are due to SMTP blacklists, 11.8 percent to SMTP errors, and 11.3 percent to connection timeouts. Around 3.5 percent of mail servers flagged the email as spam.

So to turn a healthy profit, the spammers have to send high volumes of spam. The botnet also provides its users with some quality assurance tools: Each C&C server has its own SpamAssassin filter. Once the spammer has customized his spam using Cutwail's email template, the spam is tested by sending it through SpamAssassin to see if it gets detected. If it does, then it's reworked until it can evade the filter.

They also track the performance of each bot.

From July 30, 2010, to Aug. 25, 2010, Cutwail/Pushdo's database records reveal that the botnet successfully sent 87.7 billion emails. "I was most surprised by the sheer number of emails sent by this one botnet," Holz says. "It turns out this one botnet sent out billions of spam messages."

The researchers also were able to infiltrate a Web forum for spammers and botnet operators called Spamdot.biz, which provided a peek at the methods used by the Cutwail/Pushdo operators and their spammer customers. Cutwail's operators made anywhere from $1.7 million to $4.2 million since June 2009, the researchers wrote in their newly published paper, entitled "The Underground Economy of Spam: A Botmaster's Perspective of Coordinating Large-Scale Spam Campaigns" (PDF).

The largest email address list used for spamming, which contains more than 1.5 billion email addresses, is worth between $10,000 and $20,000, according the researchers.

Meanwhile, nearly 40 percent of all of Cutwail/Pushdo's bots are based in India, followed by Australia (9 percent), Russia (4 percent), Brazil (3 percent), and Turkey (3 percent).

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Simple PHP Agenda 2.2.8 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator via a request to auth/process.php, (2) delete an administrator via a request to auth/admi...

Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco Prime Central for Hosted Collaboration Solution (PC4HCS) 10.6(1) and earlier allow remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCut04596.

Published: 2015-05-21
The Protocol Independent Multicast (PIM) application in Cisco Adaptive Security Appliance (ASA) Software 9.2(0.0), 9.2(0.104), 9.2(3.1), 9.2(3.4), 9.3(1.105), 9.3(2.100), 9.4(0.115), 100.13(0.21), 100.13(20.3), 100.13(21.9), and 100.14(1.1) does not properly implement multicast-forwarding registrati...

Published: 2015-05-21
The REST API in Cisco Access Control Server (ACS) 5.5(0.46.2) allows remote attackers to cause a denial of service (API outage) by sending many requests, aka Bug ID CSCut62022.

Published: 2015-05-21
Cross-site scripting (XSS) vulnerability in RAKUS MailDealer 11.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted attachment filename.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.