Fast, safe, and reliable–the promise of money transfer companies. They have been popular because of the convenience in transferring money in almost any part of the world. A convenience being enjoyed by spammers as well.

Recently, the Content Security team caught spam claiming to be from Western Union containing a notice of an uncollected money transfer. The uncollected money is to be returned to the sender, who is supposed to be the recipient of the mail. In order to encash, an instruction from the email “advices” the recipient to print the “invoice” attached. But wait, is it really a legitimate invoice?

Opening the attachment reveals an executable file, which may or may not have the extension (.EXE) visible. The more discerning user could think at the circumstances when invoices are delivered in an executable file format?

The answer to the question is in this case redundant, since the attached file, in truth, is not a real invoice but a malicious file detected as TSPY_ZBOT.AXJ. TSPY_ZBOT.AXJ monitors Internet activity on the affected system and waits for the user to access certain banking-related websites. Once the user does indeed access a banking-related website, it then steals any information entered into the site, compromising the user’s account. Furthermore, TSPY_ZBOT.AXJ normally bears an icon similar to those used for Microsoft Excel spreadsheets, which is used to convince the user into thinking that it is an invoice.

It has been some time since we’ve last seen a malicious spam run that leveraged on Western Union, and this one proves that those kind of attacks aren’t going away just yet. Users will be glad to know that the Smart Protection Network already protects them from this threat.

This is the first of the 5-part report on Pushdo. Don’t miss the next part of this series: “Pushdo – From Russia with love.”

Unless you’ve been off the Internet for the last seven years, you’ve probably heard of the massive security problem that botnets have become. These large collections of infected computers commanded by criminal outfits can launch coordinated attacks, host malicious websites or send spam…lots and lots of spam. If you actually ARE connecting to the Internet for the first time in seven years, welcome back, and I hope you bought Google shares back in 2002; they’ve been doing quite well.

One of the biggest spamming botnets out there is Pushdo. This botnet has managed to stay under the radar since 2007 even though it has been reported to be responsible for a huge percentage of the spam worldwide. It has even managed to make it consistently to the Top 5 largest botnets without ever reaching number one. There are reports of 7.7 billion spammed emails per day coming from this botnet, which puts it in the Top 2 largest spamming botnets worldwide. Poor Pushdo, always the bridesmaid, never the bride!

In reality the Pushdo botnet is a very “fancy” software distribution platform. Once the victim is infected, normally by visiting a malicious website, Pushdo phones home asking for a bunch of malware executables, a lot of which are third-party malware. This is the only kind of communication with the command & control server. There are no P2P components at all, just very frequent updates from the central server, which always seems to be hosted in the US. Pushdo seems to have missed the memo from its more complex friends Storm and Downad, but its complete lack of self-propagation and simple C&C structure does not seem to have hampered it in the least.

Each Pushdo update has been “nice enough” to include a surprise or two. One of the latest batches contains an executable which displayed popup ads to the user, most probably from an advertiser who paid good money for the mass-deployment of their software. The only component that is always present is the spamming engine, which some antivirus vendors have dubbed as Cutwail.

The downloader/updater binaries are usually detected as “Pushdo,” though “Pandex” and some other names have been thrown together to describe this same botnet, adding to the confusion and helping the bad guys keep their low profile.

For us this is an interesting case because it shows how a criminal gang can make lots of money by utilizing other people’s computing resources. To their customers, they look like a simple advertising agency. In reality, they steal bandwidth from their victims with the sole intention of spamming.

Previous Pusho/Cutwail posts can be read here.