A botnet responsible for a significant amount of spam has been crippled but may reconstitute itself in a matter of weeks, according to vendor M86 Security.
The Pushdo or Cutwail network of hacked computers ranked in the top five or so botnets for spam, responsible for as much as 10 percent of all spam, said Ed Rowley, product manager for M86 Security. The spam often advertises fake software, so-called designer goods and questionable pharmaceutical products.
But security analysts with the computer security company LastLine took action last week, contacting ISPs that were hosting the command-and-control infrastructure for the botnet.
About 30 servers at eight hosting providers were found to be supporting Pushdo. LastLine contacted the ISPs, and about 20 of the servers were taken offline, according to its blog. Some ISPs, however, were unresponsive.
Spam levels have dropped, Rowley said. LastLine's action "will almost certainly have a positive effect for two to three weeks," Rowley said. But "the spammers will be able to find other hosting providers where they will be able to get their systems up and running".
LastLine appears to have taken down parts of Pushdo and Cutwail, which work together, wrote Atif Mushtaq of FireEye's Malware Intelligence Lab, in a blog post. Pushdo is a Trojan. Once it infects a computer, it often downloads Cutwail, a piece of malware capable of spamming as well as downloading other bad programs.
Mushtaq confirmed LastLine's success. "After identifying the botnets in question it was very easy for me to go through my botlab logs and try to find leftover command and control servers. There was no doubt that many of the CnC servers were null routed. But as mentioned by LastLine, there were still some servers which were active and serving contents," he wrote.
And it's those active servers that remain a concern. As long as those servers are able to eventually contact the computers infected with Pushdo, it will be possible to resume spamming.
Pushdo has the ability to generate random domain names. If those domains are registered and activated, the botnet controllers can send new instructions to the hacked machines.
"Either way, they'll be up and at it again in the near future," Rowley said.
Comments
Cyteck said: No1 Because 3 probably doesnt actually understand what a Trojan is and even if it did it probably doesnt know how to remove it correctly Trojans can be extremely slippery to deal withNo2 The software in question might just have a coding error which is mistaken for a Trojan this is possible NOT all anti malware scanners correctly ID trojans this is because Trojans are NOT viruses or worms and you need specific Trojan detection software to correctly ID the parasiteNo3 three are probably so busy trying to make money profits they are not aware of this issue or are frankly dont give a toss about it ie let the end users worry about it
orcadian said: It would help if Three UK mobile phone company wasnt knowingly rolling out a Trojan bundled in a mandatory upgrade to everyone using its Huawei dongle TrojanWin32GenericBT is detected and blocked by the free program adwatch Live from Lavasoft on the Dell laptop I got from Three BT I reported this to Three customer services a couple of weeks ago and the guy said it is a known issue The Three mandatory upgrade is STILL infected two weeks later So why is a major multinational corporation knowingly pushing a Trojan on its customers
Bob said: They should list the names addresses and phone numbers of the unresponsive ISPs