Read Part 1.

Russia has always been famous for some of its better known exports such as oil, gas, vodka and Andrei Arshavin (for our non-European readers, he kicks a leather ball around a pitch without wearing any body armour). Unfortunately nowadays we can add spam botnets to that list. The famous Storm botnet from 2008 had strong links to the so-called Russian Business Network operating out of St.Petersburg, and from our research it appears that Pushdo is linked to the Moscow area.

Like other spam botnets Pushdo’s spamming component, known as Cutwail, sends spam in waves, each advertising a particular service. Normally these consist of porn, pharmacy spam etc., but it was when we started to see ads for Salsa classes and construction services that we became really interested (see Figure 1).

It did not take long for the reason behind these email to become clear. The criminal gang behind Pushdo offer “local advertising” services—for as little as 100 euros your business can be advertised to millions of email addresses in a specific area, such as Moscow, St. Petersburg or a country of your choice.

As part of our research we contacted the gang using one of the numbers they provided, posing as a potential customer of their spamming services. As customer service satisfaction goes these guys were very helpful, providing us with bank account details that we could pay them through, and even offering to pick up the money in person if we were based in Moscow (see Figure 2). On top of that they would throw in a free website design to promote our business, and offered to craft their “advertising mail services” (that’s unsolicited spam to you and me) to best avoid anti-spam signatures.

But highly customized spam is not the only trick up Pushdo’s sleeve. Find out more about the clever stealth tricks of the botnet in part 3 of our series: “Pushdo – Can’t Touch This.”

Previous Pushdo/Cutwail posts can be read here.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!