Pushdo/Cutwail, a notorious botnet known for actively fueling the spread of malware, spam and phishing campaigns, remains a threat, even after security research teams and ISPs attempted to cripple the botnet by taking out its command-and-control infrastructure.
If you leave one command-and-control server untouched, the botnet still remains alive and more than that it can be updated with a whole new list of command-and-control servers.
vice president of researchDamballa Inc.
Last week, researchers from malware analysis firm LastLine Inc. identified 30 command-and-control servers and eight hosting providers behind the Pushdo botnet. The firm was successful in taking out 20 servers after contacting ISPs responsible for hosting the servers. From Aug. 23 to Aug. 25, spam volume from Pushdo declined significantly, representing a tiny fraction of the global spam volume.
"Unfortunately, not all providers were responsive and thus several command-and-control servers are still online at this point," Thorsten Holz, senior threat analyst at LastLine, wrote in a blog post.
In an email, Holz said the research team's intention wasn't to take down the botnet, but to use the data gleaned from the command-and-control servers to test a new tool designed to analyze malware data with various botnets.
While the action by LastLine reduced the strength of the botnet, the cybercriminals behind it are recovering , according to analysis of the Pushdo botnet, conducted by FireEye Inc. The vendor's security researchers found active backup command–and-control servers in China, Russia, Germany and the United States. The active servers enabled those behind the botnet to rebuild it over several days, Pushdo, responsible for up to 10% of the world's spam, is once again gaining strength.
"Unfortunately, attempt to shutdown Pushdo merely suspended its spam for two days. Backup [command-and-control servers] CnCs really saved him this time," wrote Atif Mushtaq, a security research engineer, in FireEye's research blog.
Like LastLine, FireEye attempted to cripple Pushdo, forcing the cybercriminals to move on, but after about a month, new variants of Pushdo were detected in security vendor honeypots. According to Mushtaq, the cybercriminals don't rush to move to new command-and-control servers. They wait for researchers to turn their attention on other botnets and slowly recover over a period of weeks.
Even if you take down these intermediate servers that might even be located in the U.S., all the real data is sometimes hosted somewhere else on another back-end.
director ofmalware researchSecureWorks Inc.
The actions by LastLine demonstrate how difficult it is to reign in large botnets with command-and-control servers in dozens of countries. Security researchers say the technology is available to take out botnets, but their actions against botnets are limited by privacy laws, designed to protect computer users.
Researchers that discover botnet controllers and have a cooperative host, used to be able to see the bad guys' files, but today many command-and-control servers are no longer hosting data. They're being used as reverse proxies to servers in less friendly countries, said Joe Stewart, director of malware research at SecureWorks Inc.
"Even if you take down these intermediate servers that might even be located in the U.S., all the real data is sometimes hosted somewhere else on another back-end," Stewart said. "To bring the botnet back up to speed just requires them to go out, get some cheap hosting somewhere and redirect some traffic. It's gotten really easy for [botnet operators] to have this distributed architecture."
Security researchers are interested in studying command-and-control servers to understand the functionality built into them, Stewart said. Researchers like to look at the back-end code and examine the scripts to figure out all the capabilities of the bot.
"Usually if I'm trying to get access to a botnet controller and I get the disk images, it's more to figure out where the malware is coming from, who the author might be and where it's being sold," Stewart said. "We try to figure out if we can do a better job tracking both the malware kit and also the author's activity."
The only way to truly take out a botnet is to simultaneously wipe out all its command-and-control servers, said Gunter Ollmann, vice president of research for Damballa Inc., an Atlanta-based security vendor focusing on botnet detection. Rogue ISPs and poor cybercrime laws in some countries make it a difficult feat, Ollmann said.
"If you leave one command-and-control server untouched, the botnet still remains alive and more than that it can be updated with a whole new list of command-and-control servers and you're back at your starting point again," Ollmann said.
Still, some progress is being made, according to Ollmann. Researchers are doing a better job identifying and monitoring rogue servers. Major ISPs are also doing a better job monitoring network traffic to detect machines attempting to contact command-and-control servers, he said. From there, ISPs can set up a walled garden, shutting off Internet traffic to the infected host computer.
"Some ISPs are changing their terms of service and adding clauses that allow them to provide this level of service to their customers," Ollmann said. "It's more a reaction to the scale of the threat and also they're getting a reception from their customers that they want to be alerted when they're actually affected."