Pushdo Spamming Botnet Makes a Comeback

Cybersecurity experts have found that computers in over 50 countries have been infected with an upgraded version of Pushdo, a spamming botnet which has been functioning since 2007 despite a number of attempts to shut it down.

 At its height, the web of Pushdo-infected computers sent up to 7.7 billion spam messages each day. Analysts have attempted to kill the botnet four times now but new versions keep thwarting their efforts. Now, large numbers of infected machines have been found in India, Indonesia, Turkey and Vietnam. This latest version has been pushing the following malicious software:

  • Fareit – malware that steals logins
  • Cutwail – a spam engine module
  • Dyre & Zeus – online banking malware

The security firm, Fidelis, reverse engineered Pushdo and found an algorithm that generates 30 domain names per day. These are mostly from Kazakhstan. A complete list has now been created, allowing administrators to block those particular domains from their computers and lower the chance of an infection. While unpatched machines are most at risk, some enterprise computers have also been found with this spamming botnet installed.

Previously, Pushdo was distributed through email spam and web-based attacks that seek vulnerabilities in a computer’s software. The malware has also been installed by other botnets through pay-per-install affiliate schemes run by cybercriminals.

In 2010, the last major attempt to shut Pushdo down occurred when security firm, Lastline, contacted ISPs who were hosting some of Pushdo’s primary servers. After getting these shut down, spam output dropped significantly. The ISPs also contacted those with infected computers.

However, it seems that the victory here was only temporary with Pushdo returning once more to spam and spread with a vengeance. It now lies on the shoulders of the world’s top digital security experts to disrupt the botnet a fifth time, hopefully eliminating the threat forever.