Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

3/14/2011
03:49 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Inside One Of The World's Biggest Botnets

Researchers who temporarily disrupted Cutwail/Pushdo last year now shed light on the botmaster's side of the botnet

Spammers using one of the world's largest botnets only get a third of their messages through -- even so, they still successfully sent nearly 90 billion spam messages in just one month last year using the Cutwail/Pushdo botnet.

In a rare look at the inside operations of one of the world's largest spamming botnets, a group of researchers from LastLine Inc., the University of California-Santa Barbara, and Rur-University Bochum in Germany recently found 2.35 terabytes of data, including billions of target email addresses as well as 24 databases with detailed statistics about the bots and the spam operations. All of that was stored in the 16 servers for the Cutwail/Pushdo botnet they were able to access last August.

Thorsten Holz, senior threat analyst at LastLine and assistant professor of computer science at Ruhr-University Bochum, and his colleagues were working on a research project last year involving various botnets, including Pushdo, MegaD, and Rustock. They were matching infected IP addresses with their respective botnets when they took down some Pushdo C&C servers for their research -- inadvertently shutting down much of the botnet's infrastructure.

But like many botnet takedowns, it was only temporary; Cutwail/Pushdo has since been rebuilt and is now the second-largest botnet in the world , according to data from Joe Stewart, director of malware research for Dell SecureWorks Counter Threat Unit. Cutwail/Pushdo has about 100,000 bots, behind the largest botnet, Rustock, which has a head count of 250,000 bots.

"This whack-a-mole game is a bit disappointing over time. You take one down … and they go rent new ones and infect more people," Holz says.

Meanwhile, Holz and fellow researchers Brett Stone-Gross, Gianluca Stringhini, and Giovanni Vigna have been able to piece together some details of the Cutwail/Pushdo's botnet operation itself. The botnet operators lease out the botnet to spamming groups for spewing spam for online pharmacies, phishing, pornography, money-mule recruitment, and real estate scams. The botnet also is used for spreading malware, such as the Zeus banking Trojan, via infected attachments or links.

And it turns out the botnet operators and their spamming customers have their own technology challenges: Only 30 percent of the botnet's spam is actually delivered to the targeted email server, the researchers discovered. "That's quite a big loss," Holz says. "And even if the mail is received by the targeted mail server, with filtering and SpamAssassin, a large chunk of that 30 percent gets filtered and doesn't necessarily reach the inbox of the user."

Invalid email addresses account for more than half of the delivery failures, 16.9 percent are due to SMTP blacklists, 11.8 percent to SMTP errors, and 11.3 percent to connection timeouts. Around 3.5 percent of mail servers flagged the email as spam.

So to turn a healthy profit, the spammers have to send high volumes of spam. The botnet also provides its users with some quality assurance tools: Each C&C server has its own SpamAssassin filter. Once the spammer has customized his spam using Cutwail's email template, the spam is tested by sending it through SpamAssassin to see if it gets detected. If it does, then it's reworked until it can evade the filter.

They also track the performance of each bot.

From July 30, 2010, to Aug. 25, 2010, Cutwail/Pushdo's database records reveal that the botnet successfully sent 87.7 billion emails. "I was most surprised by the sheer number of emails sent by this one botnet," Holz says. "It turns out this one botnet sent out billions of spam messages."

The researchers also were able to infiltrate a Web forum for spammers and botnet operators called Spamdot.biz, which provided a peek at the methods used by the Cutwail/Pushdo operators and their spammer customers. Cutwail's operators made anywhere from $1.7 million to $4.2 million since June 2009, the researchers wrote in their newly published paper, entitled "The Underground Economy of Spam: A Botmaster's Perspective of Coordinating Large-Scale Spam Campaigns" (PDF).

The largest email address list used for spamming, which contains more than 1.5 billion email addresses, is worth between $10,000 and $20,000, according the researchers.

Meanwhile, nearly 40 percent of all of Cutwail/Pushdo's bots are based in India, followed by Australia (9 percent), Russia (4 percent), Brazil (3 percent), and Turkey (3 percent).

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-18654
PUBLISHED: 2021-06-22
Cross Site Scripting (XSS) in Wuzhi CMS v4.1.0 allows remote attackers to execute arbitrary code via the "Title" parameter in the component "/coreframe/app/guestbook/myissue.php".
CVE-2020-22168
PUBLISHED: 2021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\change-emaild.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
CVE-2020-22169
PUBLISHED: 2021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\appointment-history.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
CVE-2020-22170
PUBLISHED: 2021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\get_doctor.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
CVE-2020-22171
PUBLISHED: 2021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\registration.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.