03:49 PM
Connect Directly

Inside One Of The World's Biggest Botnets

Researchers who temporarily disrupted Cutwail/Pushdo last year now shed light on the botmaster's side of the botnet

Spammers using one of the world's largest botnets only get a third of their messages through -- even so, they still successfully sent nearly 90 billion spam messages in just one month last year using the Cutwail/Pushdo botnet.

In a rare look at the inside operations of one of the world's largest spamming botnets, a group of researchers from LastLine Inc., the University of California-Santa Barbara, and Rur-University Bochum in Germany recently found 2.35 terabytes of data, including billions of target email addresses as well as 24 databases with detailed statistics about the bots and the spam operations. All of that was stored in the 16 servers for the Cutwail/Pushdo botnet they were able to access last August.

Thorsten Holz, senior threat analyst at LastLine and assistant professor of computer science at Ruhr-University Bochum, and his colleagues were working on a research project last year involving various botnets, including Pushdo, MegaD, and Rustock. They were matching infected IP addresses with their respective botnets when they took down some Pushdo C&C servers for their research -- inadvertently shutting down much of the botnet's infrastructure.

But like many botnet takedowns, it was only temporary; Cutwail/Pushdo has since been rebuilt and is now the second-largest botnet in the world , according to data from Joe Stewart, director of malware research for Dell SecureWorks Counter Threat Unit. Cutwail/Pushdo has about 100,000 bots, behind the largest botnet, Rustock, which has a head count of 250,000 bots.

"This whack-a-mole game is a bit disappointing over time. You take one down … and they go rent new ones and infect more people," Holz says.

Meanwhile, Holz and fellow researchers Brett Stone-Gross, Gianluca Stringhini, and Giovanni Vigna have been able to piece together some details of the Cutwail/Pushdo's botnet operation itself. The botnet operators lease out the botnet to spamming groups for spewing spam for online pharmacies, phishing, pornography, money-mule recruitment, and real estate scams. The botnet also is used for spreading malware, such as the Zeus banking Trojan, via infected attachments or links.

And it turns out the botnet operators and their spamming customers have their own technology challenges: Only 30 percent of the botnet's spam is actually delivered to the targeted email server, the researchers discovered. "That's quite a big loss," Holz says. "And even if the mail is received by the targeted mail server, with filtering and SpamAssassin, a large chunk of that 30 percent gets filtered and doesn't necessarily reach the inbox of the user."

Invalid email addresses account for more than half of the delivery failures, 16.9 percent are due to SMTP blacklists, 11.8 percent to SMTP errors, and 11.3 percent to connection timeouts. Around 3.5 percent of mail servers flagged the email as spam.

So to turn a healthy profit, the spammers have to send high volumes of spam. The botnet also provides its users with some quality assurance tools: Each C&C server has its own SpamAssassin filter. Once the spammer has customized his spam using Cutwail's email template, the spam is tested by sending it through SpamAssassin to see if it gets detected. If it does, then it's reworked until it can evade the filter.

They also track the performance of each bot.

From July 30, 2010, to Aug. 25, 2010, Cutwail/Pushdo's database records reveal that the botnet successfully sent 87.7 billion emails. "I was most surprised by the sheer number of emails sent by this one botnet," Holz says. "It turns out this one botnet sent out billions of spam messages."

The researchers also were able to infiltrate a Web forum for spammers and botnet operators called Spamdot.biz, which provided a peek at the methods used by the Cutwail/Pushdo operators and their spammer customers. Cutwail's operators made anywhere from $1.7 million to $4.2 million since June 2009, the researchers wrote in their newly published paper, entitled "The Underground Economy of Spam: A Botmaster's Perspective of Coordinating Large-Scale Spam Campaigns" (PDF).

The largest email address list used for spamming, which contains more than 1.5 billion email addresses, is worth between $10,000 and $20,000, according the researchers.

Meanwhile, nearly 40 percent of all of Cutwail/Pushdo's bots are based in India, followed by Australia (9 percent), Russia (4 percent), Brazil (3 percent), and Turkey (3 percent).

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.