Feb4 |
10:05 am (UTC-7) | by
David Sancho (Senior Threat Researcher) |
The PUSHDO botnet has been in the news lately as the culprit in a distributed denial-of-service (DDoS) attack against a variety of well-known websites. Some publications even documented this recent attack extensively. After spending some months last year studying and monitoring the PUSHDO/CUTWAIL botnet and after checking the latest samples, we can affirm that this particular attack is not PUSHDO related.
First off, PUSHDO variants are usually downloaders that often report to a command and control (C&C) server. The DDoS malware in the attack, on the other hand, is a spambot. Though the PUSHDO botnet uses a spambot (dubbed “CUTWAIL” by the security industry) to massively spam users, when we compared our CUTWAIL samples with the DDoS spambot used in this attack, we did not see a convincing reason to believe that they are related.
Security experts commonly detect this new spambot variant as “Harebot” or “Shgray.” Some security vendors also detect it as “Pandex,” which was another name used for PUSHDO variants. We believe this is the reason why people think this new threat is PUSHDO related.
Though this may seem like a small point to make, it is a rather important one. Even if the new spambot is indeed an evolved version of CUTWAIL variants (something that has not yet been proven), this still does not mean that the PUSHDO botnet owners are the ones behind this massive DDoS attack.
These two groups may be one and the same or two entirely different organizations. In any case, the reason to create a DDoS-capable spambot is still an enigma even to security researchers.
Feel free to comment on this blog if you have any interesting theories about it.
Share this article |
 |
        |
February 5th, 2010 at 9:01 am
So Pushdo and HareBot are different? If you do a google search on a known Pushdo IP(94.75.233.172) you can see Pushdo and HareBot related results.
http://www.threatexpert.com/report.aspx?md5=2d8d489825d1b12732a799b10ce03c12
That looks like a Pushdo CnC communication to me.
February 5th, 2010 at 10:22 am
You should always mention on any story regarding botnets that there are usually two distinct parties involved: the owner and potential creator of the botnet itself, and the individual who leases time on that botnet for illegal uses.
For some reason no security-related blog ever mentions this. Once you've identified the botnet in use for a particular illegal act, you've merely identified the tool, not the individual who used the tool.
DDOS attacks are only continuing because they are effective, and because they don't cost the individual that much money to execute. Technically we're talking about "conspiracy wire fraud" because there are always two parties involved: the owner and the leasor.
You should consider mentioning this in the future.
In reality it's unlikely the actual perpetrator will ever be identified, merely the individual(s) who leased him the time on their botnet.
SiL / IKS / concerned citizen
February 8th, 2010 at 11:22 am
<i>In any case, the reason to create a DDoS-capable spambot is still an enigma even to security researchers.</i>
Extortion. I've heard of sports betting sites getting threats of pay up or be taken offline by a DDoS.
February 23rd, 2010 at 2:01 am
Hi guys, thanks for the comments.
I just wanted to point out that the baffling thing about this particular attack is that the DDoS is coming from a spambot, not from the bot component. This is a very unusual behavior that might indicate that it's not a DDoS after all. If they want to extort sites, the DDoS would be on-demand and therefore made from the bot component. Doing it from the spambot to a hard-coded list of domains does not match with usual DDoS scenarios.