Security

Pushdo/Cutwail Botnet: Second to none when it comes to spamming

Pushdo/Cutwail is responsible for 7.7 billion spam e-mail messages each day. Find out how this botnet has been able to survive and even flourish since 2007.

Putting the fact that Pushdo/Cutwail is a *@#$% spammer botnet aside (I know it's hard), one has to marvel at its sophistication and tenacity. I wasn't even familiar with the botnet until I read an interesting five-part series about the Pushdo botnet written by David Sancho and Robert McArdle, both malware researchers for TrendLabs. I felt compelled to share their work with you as it gives valuable insight as to why spam is so profitable.

I alluded to it in the title, but I find it hard to believe that 7.7 billion spam e-mail messages every single day relegates Pushdo to second place. What's also hard to believe is that Pushdo/Cutwail has been around for almost three years and only now garnering more than a cursory glance. If you think about it, that lack of visibility is probably why it's been able to survive so long.

On the radar now

That's not the case anymore. Joe Stewart, director of malware research for SecureWorks has Pushdo/Cutwail as one of the botnets to watch in 2009 and provides the following description:

  • Estimated # of bots: 175,000
  • SMTP engine: Template-based
  • Control: HTTP with encryption, multiple TCP ports
  • Rootkit-enabled: Yes
  • Identifying strings: Poshel-ka ti na hui drug aver
  • Notes: Pushdo/Cutwail was one of the few major botnets feeling little impact from the McColo takedown. Cutwail spam output actually increased shortly after that time, so it probably picked up some customers from other botnets. Cutwail has many customers, and can be seen sending a wide variety of spam, including pharmaceuticals, replica watches, online casinos, phishing mule come-ons and malware.
Pushdo is the trojan

In a previous article I defined a trojan as malware that cloaks the destructive payload during installation and program execution, preventing anti-malware from recognizing the malcode. Pushdo is one of the better trojans. One reason is that it only installs two files on the hard drive. The TrendLab researchers point out the steps Pushdo uses:

  1. A user gets lured to a malicious site triggering a series of exploits that injects the Pushdo installer directly into memory.
  2. Pushdo copies itself as a single file to the System directory.
  3. Right after this, and on every boot, it downloads other malware components - but keeps them in memory, never writing them to disk
  4. One of the malicious components downloads is a kernel mode rootkit, which is installed as a device driver in the system.

Cutwail is the payload

Cutwail is the normal payload being protected by Pushdo. Depending on where you look, Cutwail can be described as either a spam trojan or a spam engine, both only have one purpose and that's to create spam.

While I said Cutwail is the payload most commonly seen, other pieces of malcode are used as well. Security analysts are now thinking that Pushdo may also be a payload delivery vehicle for hire. So Pushdo/Cutwail has two revenue streams one being from spam generation and the other from distributing other malware author's creations.

Prevention and removal

As with most malware, the best way to avoid Pushdo/Cutwail is to make sure your computer's operating system and application software are up to date, without vulnerabilities there's no exploitation. As for removal, normal anti-virus applications don't seem capable of finding this particular malware package, whereas malware scanners like MBAM are for the most part successful.

Final thoughts

Back in December of 2007, Joe Stewart of SecureWorks made the following comment:

"Clearly the author of Pushdo is intent on evading detection for as long as possible, in order to have the maximum amount of time to seed Cutwail spambots into the wild. Although it is unclear just how large the Cutwail botnet has become, the ambition of the project rivals that of other more well-known spam botnets, such as Storm."

With Mr. Stewart predicting in 2009 that Pushdo/Cutwail will be one of the botnets to watch I tend to agree with his 2007 prediction, which is pretty safe on my part using two years of hindsight.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

23 comments
jdayman
jdayman

Great article Michael. One thing really jumps out when I read your description of how the Pushdo trojan works... "Pushdo copies itself as a single file to the System directory" Wow! If we could get our users to stop logging in as the Administrator, then I suspect Pushdo might go away in a hurry. It's the first thing that I do when I'm asked to clean up an infected Windows machine - demote all the users from Admin to Normal User. In most cases I give them an Admin account without a password so that they can easily do admin stuff when they need to. IMO the only reason (on a home pc) to put a password on your Windows Admin account is if the computer is used by people who are not trusted. (An admin account with a blank password can not be used remotely, so the only way it becomes dangerous is if the person using the account has access to the keyboard and mouse.) Again, great article as usual!

chris
chris

so the companies feel it's worth it to pay these guys to hit us with crappy ads? people actually go on to buy or do they report "hits" as the revenue basis?

desi906
desi906

Can these botnets detect when you put new filters on mail accounts? My inbox was flooded with spam about acai that was not being detected by spam assassin, so I added a filter to discard acai, and also one for ICQ (I noticed that all of them had an ICQ: number at the bottom). No more acai spam, but since then it has been like a revenge attack of spam with "backwards writing"

santeewelding
santeewelding

I am going to hide under my bed and refuse to come out.

Michael Kassner
Michael Kassner

Pushdo/Cutwail is a spamming botnet that has tenacity and longevity. Has anyone had dealings with its removal? MBAM has worked for me. Still I'd like to hear about any other solutions.

JCitizen
JCitizen

that does not have password protection. It is better to leave the restricted account unprotected as malware has some limited rights there. If the malware is using an application vulnerablility to gain access to admin rights, it could get access this way. I've seen malware use fast user switching to get the same results. On XP Home I always try to disable the hidden admin account after password protecting it with a strong password. I woke up one morning and found my computer on with the logon box displayed and something had enabled password protection to the local machine administerator in W2K. Needless to say I wiped and reinstalled. If I hadn't become suspicious on how my machine was turned on and hit Ctrl>Alt>Delete(twice) I would never have noticed.

Michael Kassner
Michael Kassner

Still, if I understand correctly, doesn't Windows Update require admin rights? So how would that work?

Neon Samurai
Neon Samurai

Quickbooks and badly written digital recorder related software from Panasonic require elevated rights. Both have had weeks worth of testing and research and both consistently failed to work unless the user is admin or poweruser status; both are not remotely ideal. If I could have just granted elevated rights to specific folders under each program directory, that would have been better.

Michael Kassner
Michael Kassner

The spammers only care about hits. It the people that are paying the spammers that care about what happens after that.

Michael Kassner
Michael Kassner

I doubt that they are that sophisticated. I suspect it's more of the nature that the spam changed. The spam engines are quite prolific, but have a business model to follow.

JCitizen
JCitizen

and good post - thanks! I wonder if the every 10 second registry hack is to attempt to overide any AV/AS real time registry protection? Hmmm?

beldar33
beldar33

I know it's our job but...wouldn't it be nice to spend some time/money actually improving the productivity of a network. I am so disheartened every time one of my clients calls with some piece of malware. Don't get me wrong, as a consultant I enjoy having sufficient billable hours to put food on my own table. I just never envisioned my IT career to consist of repeatedly cleaning some piece of garbage off a PC even after using properly configured firewalls, AV programs, acceptable use policies and user training we still spend an inordinate amount of time and money either cleaning or just protecting our clients networks. I would love to see what those dollars and time could be used for in a productive and a progressive fashion instead of reactive. Lastly, I would love for LEO to hand over one of the writers of this garbage to a room full of IT admins for just a few minutes and then broadcast what happens for the world to see...I wonder if it might be a deterrent for other would be malware authors?

Datacommguy
Datacommguy

Damn! That's a BIG number! But as the Postini admin for our company before I semi-retired and started consulting, I saw the number of spam emails that were caught each day, and I can believe it. I have to wonder though, if MBAM can find it, why don't the others? Yes, I've read the posts in other forums and blogs that suggest commercial AV suites are primarily concerned with blocking malware and may not do as good a job as a program which is focused on finding installed malware. I'm not sure I buy that argument through. A scheduled scan of all files (plus registry, cookies, etc) which most AV packages offer suggests that while part of the package is devoted to blocking, there's another part which should be just as capable of finding something which slipped by the block. And what about the Windows monthly anti-malware program download? Obviously, if MBAM can find it, the others could too... Granted, spam generators don't destroy your hard disk, melt your motherboard or flatten the tires on your car, and I can agree that the AV packages should focus on those really nasty things first. But they do use resources, slow your network access and PC, and contribute to an annoying hardship we'd all like to see eliminated. Soooo.... I keep coming back to the same question: If one can, why don't the others?

victor50
victor50

They give to little evidence and detail for their claims that traditional AV does not work. Sounds a bit like advertisement.

JCitizen
JCitizen

most of mine come to me, clueless as to what is wrong. Usually after I'm done with their PC and/or LAN, they have few problems after that. A blended defense always seems to mitigate most problems. I must admit enterprise suites were not comprehensive enough as of 2005, but I've not used any of them since that date. Most SMBs can't afford them anyway.

Michael Kassner
Michael Kassner

I'm not sure how authorities would view it, but I suspect it would have an impact.

boxfiddler
boxfiddler

[i]sharp things.[/i] I'm thinking singular.

Michael Kassner
Michael Kassner

Think so, but your reference to other posts is what I'm getting from the experts. I liken it to where an all-purpose cleaner does a mediocre job on many different types of problems, whereas a cleaner that's specifically targeted at motor oil will be great at that but horrible at trying to remove food stains.

Michael Kassner
Michael Kassner

TrendMicro? What you say may be true, but TrendMicro has a pretty decent AV suite. So, I don't see the logic of your comment. I've had a computer that was infected with this and the AV didn't see it at all. MBAM finally cleared it.

victor50
victor50

The difficulty with their claim "traditional AV does not find it" is that (a) they are not specifying which and (b) most if not all AV-companies give their own names to viruses and threads. This thread being so prominent as they claim it is, I would be very surprised if not at least one of the more serious other AV-companies has this on it's list. Maybe its not intercepted on-access but at least in the more thorough mode. Combined with the lack of details they are giving I stick with my suspicion. Having no problems with it I did not try to find out.

Editor's Picks