Skip the navigation

Botnet takedown may yield valuable data

By Jeremy Kirk
September 2, 2010 06:25 AM ET

IDG News Service - Researchers are hoping to get a better insight on botnets after taking down part of Pushdo, one of the top five networks of hacked computers responsible for most of the world's spam.

Thorsten Holz, an assistant professor of computer science at Ruhr-University in Bochum, Germany, said his group is working on an academic paper focused on methods to figure out what type of malicious spamming software is on a computer that sent a particular spam e-mail.

They looked at several of the major spamming botnets, including Mega-D, Lethic, Rustock as well as Pushdo and Cutwail, two kinds of malware that appear to sometimes work together as part of the same botnet.

Holz said they found that Pushdo had a special characteristic in that more than half of its command-and-control servers were concentrated within one hosting company. Botnets use command-and-control servers to issue instructions to the infected PC, such as uploading spam templates and the target e-mail addresses to send spam.

About 15 of Pushdo's 30 servers were with that one hosting provider, which has now taken those servers offline and shared the data contained within them with Holz and his team. Their analysis is still ongoing, but they uncovered some 78 GB of plain text e-mail addresses, and that up to 40% of the infected computers were in India, a finding Holz said was surprising.

Other data within those servers should shed greater light on how Pushdo works. "We will analyze all the log data we have because I think we can provide a good overview of a modern spam operation," Holz said.

Of the eight hosting providers that had Pushdo's command-and-control servers, six took action to shut Pushdo down. But two hosting providers based in China did not respond to e-mail requests to turn off Pushdo or even acknowledged that they had received a complaint, Holz said. Although the spam volume from Pushdo has dropped, it is likely that its operators will be able to ratchet it up again.

But Holz and his team now know which computers are infected with Pushdo. They're in the process of contacting the ISPs connect those computers to the Internet. The ISPs can then notify those customers that their computers are infected and take steps to help them clean up their machines, Holz said.

Although it is likely Pushdo's operators will be able to use the remaining servers that are still online to reconstitute the botnet, "if we can notify the victims of the compromised machines and get them cleaned, it still has a long-term impact," Holz said.

Identifying which machines are infected and then remediating those computers is seen as crucial to fighting botnets. In Germany, the government has launched an initiative that involves eight major ISPs collaborating to send e-mails to their customers notifying them that their machines may be infected with botnet code, Holz said.

Reprinted with permission from IDG.net. Story copyright 2014 International Data Group. All rights reserved.
Our Commenting Policies