Pushdo/Cutwail, a notorious botnet known for actively fueling the spread of malware, spam and phishing campaigns, remains a threat, even after security research teams
Last week, researchers from malware analysis firm LastLine Inc. identified 30 command-and-control servers and eight hosting providers behind the Pushdo botnet. The firm was successful in taking out 20 servers after contacting ISPs responsible for hosting the servers. From Aug. 23 to Aug. 25, spam volume from Pushdo declined significantly, representing a tiny fraction of the global spam volume.
"Unfortunately, not all providers were responsive and thus several command-and-control servers are still online at this point," Thorsten Holz, senior threat analyst at LastLine, wrote in a blog post.
In an email, Holz said the research team's intention wasn't to take down the botnet, but to use the data gleaned from the command-and-control servers to test a new tool designed to analyze malware data with various botnets.
While the action by LastLine reduced the strength of the botnet, the cybercriminals behind it are recovering , according to analysis of the Pushdo botnet, conducted by FireEye Inc. The vendor's security researchers found active backup command–and-control servers in China, Russia, Germany and the United States. The active servers enabled those behind the botnet to rebuild the botnet and over several days, Pushdo, responsible for up to 10% of the world's spam, is once again gaining strength.
"Unfortunately, attempt to shutdown Pushdo merely suspended its spam for two days. Backup [command-and-control servers] CnCs really saved him this time," wrote Atif Mushtaq, a security research engineer, in FireEye's research blog.
Like LastLine, FireEye attempted to cripple Pushdo, forcing the cybercriminals to move on, but after about a month, new variants of Pushdo were detected in security vendor honeypots. According to Mushtaq, the cybercriminals don't rush to move to new command-and-control servers. They wait for researchers to turn their attention on other botnets and slowly recover over a period of weeks.
The actions by LastLine demonstrate how difficult it is to reign in large botnets with command-and-control servers in dozens of countries. Security researchers say the technology is available to take out botnets, but their actions against botnets are limited by privacy laws, designed to protect computer users.
The only way to truly take out a botnet is to simultaneously wipe out all its command-and-control servers, said Gunter Ollmann, vice president of research for Damballa Inc., an Atlanta-based security vendor focusing on botnet detection. Rogue ISPs and poor cybercrime laws in some countries make it a difficult feat, Ollmann said.
"If you leave one command and control server untouched, the botnet still remains alive and more than that it can be updated with a whole new list of command-and-control servers and you're back at your starting point again," Ollmann said.
Still, some progress is being made, according to Ollmann. Researchers are doing a better job identifying and monitoring rogue servers. Major ISPs are also doing a better job monitoring network traffic to detect machines attempting to contact command-and-control servers, he said. From there, ISPs can set up a walled garden, shutting off Internet traffic to the infected host computer.
"Some ISPs are changing their terms of service and adding clauses that allow them to provide this level of service to their customers," Ollmann said. "It's more a reaction to the scale of the threat and also they're getting a reception from their customers that they want to be alerted when they're actually affected."