Who said that Cutwail/Pushdo botnet is dead? The recent Cutwail/Pushdo takedown was a great help in stopping this huge botnet in sending out spammed messages all over the world.

Yesterday, however, a new wave of approximately 5,000 fake Facebook messages was sent through some Cutwail zombies for about 30 minutes.

The spammed message informs users that they received a private message and contains a bogus Facebook link, which actually points to {BLOCKED}icy.com, a Canadian pharmacy website hosted in China. As of this writing, however, the said site is no longer online.

This recent Pushdo/Cutwail update shows us that the spammers behind this botnet are on the move and are rebuilding their servers, domains, and the rest of their infrastructure in order to restore their botnet.

All of us have heard about SpyEye, a malware family comprising information/data stealers like ZeuS/ZBOT. This malware is sometimes known as a “ZeuS killer,” as it stops ZeuS malware from running on affected systems, assuming that the latter is already present. This topic was discussed before in the blog post, “Keeping an Eye on the EYEBOT and a Possible Bot War.”

We were able to further investigate a command-and-control (C&C) server of a SpyEye botnet, most of whose zombies were located in Poland. This is somewhat unusual, as bot herders prefer to target Western countries like the United States, the United Kingdom, Germany, Italy, Spain, and France.

This particular SpyEye C&C server is located in the Ukraine:

IP address: {BLOCKED}.{BLOCKED}.159.29
Org: Tavria Host Network
ISP: PAN-SAM Ltd.
ASN: AS196814

We were able to access different Control Panel tabs on this SpyEye server and saw some interesting bits of information such as its number of bots and their locations:

A statistical breakdown of the bots by OS, Internet Explorer version, and whether they run as administrators or not was also found:
Read the rest of this entry »