Putting the fact that Pushdo/Cutwail is a *@#$% spammer botnet aside (I know it’s hard), one has to marvel at its sophistication and tenacity. I wasn’t even familiar with the botnet until I read an interesting five-part series about the Pushdo botnet written by David Sancho and Robert McArdle, both malware researchers for TrendLabs. I felt compelled to share their work with you as it gives valuable insight as to why spam is so profitable.

I alluded to it in the title, but I find it hard to believe that 7.7 billion spam e-mail messages every single day relegates Pushdo to second place. What’s also hard to believe is that Pushdo/Cutwail has been around for almost three years and only now garnering more than a cursory glance. If you think about it, that lack of visibility is probably why it’s been able to survive so long.

On the radar now

That’s not the case anymore. Joe Stewart, director of malware research for SecureWorks has Pushdo/Cutwail as one of the botnets to watch in 2009 and provides the following description:

  • Estimated # of bots: 175,000
  • SMTP engine: Template-based
  • Control: HTTP with encryption, multiple TCP ports
  • Rootkit-enabled: Yes
  • Identifying strings: Poshel-ka ti na hui drug aver
  • Notes: Pushdo/Cutwail was one of the few major botnets feeling little impact from the McColo takedown. Cutwail spam output actually increased shortly after that time, so it probably picked up some customers from other botnets. Cutwail has many customers, and can be seen sending a wide variety of spam, including pharmaceuticals, replica watches, online casinos, phishing mule come-ons and malware.

Pushdo is the trojan

In a previous article I defined a trojan as malware that cloaks the destructive payload during installation and program execution, preventing anti-malware from recognizing the malcode. Pushdo is one of the better trojans. One reason is that it only installs two files on the hard drive. The TrendLab researchers point out the steps Pushdo uses:

  1. A user gets lured to a malicious site triggering a series of exploits that injects the Pushdo installer directly into memory.
  2. Pushdo copies itself as a single file to the System directory.
  3. Right after this, and on every boot, it downloads other malware components – but keeps them in memory, never writing them to disk
  4. One of the malicious components downloads is a kernel mode rootkit, which is installed as a device driver in the system.

Cutwail is the payload

Cutwail is the normal payload being protected by Pushdo. Depending on where you look, Cutwail can be described as either a spam trojan or a spam engine, both only have one purpose and that’s to create spam.

While I said Cutwail is the payload most commonly seen, other pieces of malcode are used as well. Security analysts are now thinking that Pushdo may also be a payload delivery vehicle for hire. So Pushdo/Cutwail has two revenue streams one being from spam generation and the other from distributing other malware author’s creations.

Prevention and removal

As with most malware, the best way to avoid Pushdo/Cutwail is to make sure your computer’s operating system and application software are up to date, without vulnerabilities there’s no exploitation. As for removal, normal anti-virus applications don’t seem capable of finding this particular malware package, whereas malware scanners like MBAM are for the most part successful.

Final thoughts

Back in December of 2007, Joe Stewart of SecureWorks made the following comment:

“Clearly the author of Pushdo is intent on evading detection for as long as possible, in order to have the maximum amount of time to seed Cutwail spambots into the wild. Although it is unclear just how large the Cutwail botnet has become, the ambition of the project rivals that of other more well-known spam botnets, such as Storm.”

With Mr. Stewart predicting in 2009 that Pushdo/Cutwail will be one of the botnets to watch I tend to agree with his 2007 prediction, which is pretty safe on my part using two years of hindsight.