May20
1:03 am (UTC-7)   |   by David Sancho (Malware Researcher)

Check out the first, second, and third part of this report.

The bad guys behind this botnet are sly and evil, you have to give them that!

From their end, this is just pure business. They cater to Russian companies to advertise their services, be it a law firm or a dance academy, but they have a problem: how to ensure that those spammed messages have been delivered? Well the Pushdo gang have come up with a way of doing just that – by sniffing all emails being sent from every infected machine. That’s right–they added an inbuilt network sniffer to the growing list of compontents of the Pushdo threat

When the computer first becomes infected, one of the modules drops a device driver (”tcpsr.sys“) that intercepts all outgoing email traffic being sent and logs the recipients of each message. Every now and then, it then sends this information to a server that collects all this data allowing the gang to know exactly how many mails for each campaign have been sent.

An appropriate side effect for them is that Pushdo increases their database every time the user sends a legitimate email from the infected PC, as the recipient is being sent along with the rest of the sniffed data. The sniffer driver is deleted from the disk immediately after becoming active.

This is yet another feature used by the Pushdo gang which shows exactly how business-oriented they are. These guys are in it to get money and this shows in the attention to detail they put into their evil creations. I can already picture a nice web interface on their end to see the status of every bot around the world at each moment. After all what self-respecting evil overlord does not have a giant plasma screen showing a map of the world–its practically on page 1 of their handbook.

Don’t miss our final installment of the series: “Pushdo/Cutwail: Traditional AV is useless”.

Previous Pushdo/Cutwail posts from this series can be read at following links :
Pushdo/Cutwail – The Art of Spamming (Part 1 of 5)
Pushdo/Cutwail – From Russia with Love (Part 2 of 5)
Pushdo/Cutwail – Can’t Touch This (Part 3 of 5)

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Wednesday, May 20th, 2009 at 1:03 am and is filed under Botnet, Malware . You can leave a response, or trackback from your own site.



One Response to “Pushdo/Cutwail – Sniffing for the Win (Part 4 of 5)”

Trackbacks

  1. MSN Bot Plays on Controversy over Michael Jackson's Death

Leave a Reply


Koobface Worm Alive and Wriggling
Pushdo/Cutwail – Can’t Touch This (Part 3 of 5)


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 



    		 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice