The PUSHDO botnet has been in the news lately as the culprit in a distributed denial-of-service (DDoS) attack against a variety of well-known websites. Some publications even documented this recent attack extensively. After spending some months last year studying and monitoring the PUSHDO/CUTWAIL botnet and after checking the latest samples, we can affirm that this particular attack is not PUSHDO related.
First off, PUSHDO variants are usually downloaders that often report to a command and control (C&C) server. The DDoS malware in the attack, on the other hand, is a spambot. Though the PUSHDO botnet uses a spambot (dubbed “CUTWAIL” by the security industry) to massively spam users, when we compared our CUTWAIL samples with the DDoS spambot used in this attack, we did not see a convincing reason to believe that they are related.
Security experts commonly detect this new spambot variant as “Harebot” or “Shgray.” Some security vendors also detect it as “Pandex,” which was another name used for PUSHDO variants. We believe this is the reason why people think this new threat is PUSHDO related.
Though this may seem like a small point to make, it is a rather important one. Even if the new spambot is indeed an evolved version of CUTWAIL variants (something that has not yet been proven), this still does not mean that the PUSHDO botnet owners are the ones behind this massive DDoS attack.
These two groups may be one and the same or two entirely different organizations. In any case, the reason to create a DDoS-capable spambot is still an enigma even to security researchers.
Feel free to comment on this blog if you have any interesting theories about it.