Security researchers have detected a new variant of Pushdo that infects computers with the Cutwail spam botnet, spreading banking Trojans, phishing email and spam.
Dell SecureWorks' Counter Threat Unit issued an advisory Wednesday warning that the malware has infected about 100,000 computers since it was detected in early August. Pushdo is a downloader that contacts a command and control server for orders. The cybercriminals behind the new malware infect the machines with malware that turns them into spam distributors, wrote Brett Stone-Gross, a researcher with Dell SecureWorks Counter Threat Unit.
"The purpose of these fake HTTP requests is to make Pushdo's command and control traffic, which also uses HTTP, blend in with legitimate traffic," Stone-Gross wrote.
Researchers detected a variant of Pushdo using a similar method in 2010. Back then, the downloader used an SSL connection to contact legitimate websites. "At the time, Pushdo communicated over TCP port 443, which is the default port for SSL," Stone-Gross wrote.
Cutwail has been a widely detected botnet and is recognized as one of the largest. Experts believe it is responsible for sending out trillions of spam messages, generating millions in profits for its owners. The spam messages often contain phishing emails, malicious attachments leading to banking Trojans and malicious links to attack websites.
In 2009, security researchers at M86 Security Labs detected a scheme in which malicious URLs leading to Pushdo were spreading via Facebook. Researchers have also attempted to bring down the Pushdo botnet by taking out its command-and-control servers. They sought to cripple the malware and phishing distribution system by eliminating its ability to receive instructions. Unfortunately, the researchers were only partially effective. They were able to take down approximately 20 of the 30 command-and-control servers.
Stone-Gross said the typical way to be infected with Pushdo is through drive-by exploits. He advised IT security teams to continue to educate employees about the risks associated with clicking URLs and ensure software and browser components are fully updated.