This is the first of the 5-part report on Pushdo. Don’t miss the next part of this series: “Pushdo – From Russia with love.”

Unless you’ve been off the Internet for the last seven years, you’ve probably heard of the massive security problem that botnets have become. These large collections of infected computers commanded by criminal outfits can launch coordinated attacks, host malicious websites or send spam…lots and lots of spam. If you actually ARE connecting to the Internet for the first time in seven years, welcome back, and I hope you bought Google shares back in 2002; they’ve been doing quite well.

One of the biggest spamming botnets out there is Pushdo. This botnet has managed to stay under the radar since 2007 even though it has been reported to be responsible for a huge percentage of the spam worldwide. It has even managed to make it consistently to the Top 5 largest botnets without ever reaching number one. There are reports of 7.7 billion spammed emails per day coming from this botnet, which puts it in the Top 2 largest spamming botnets worldwide. Poor Pushdo, always the bridesmaid, never the bride!

In reality the Pushdo botnet is a very “fancy” software distribution platform. Once the victim is infected, normally by visiting a malicious website, Pushdo phones home asking for a bunch of malware executables, a lot of which are third-party malware. This is the only kind of communication with the command & control server. There are no P2P components at all, just very frequent updates from the central server, which always seems to be hosted in the US. Pushdo seems to have missed the memo from its more complex friends Storm and Downad, but its complete lack of self-propagation and simple C&C structure does not seem to have hampered it in the least.

Each Pushdo update has been “nice enough” to include a surprise or two. One of the latest batches contains an executable which displayed popup ads to the user, most probably from an advertiser who paid good money for the mass-deployment of their software. The only component that is always present is the spamming engine, which some antivirus vendors have dubbed as Cutwail.

The downloader/updater binaries are usually detected as “Pushdo,” though “Pandex” and some other names have been thrown together to describe this same botnet, adding to the confusion and helping the bad guys keep their low profile.

For us this is an interesting case because it shows how a criminal gang can make lots of money by utilizing other people’s computing resources. To their customers, they look like a simple advertising agency. In reality, they steal bandwidth from their victims with the sole intention of spamming.

Previous Pusho/Cutwail posts can be read here.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!