The Art Of Spamming

[Peaches]

May12 2009

Pushdo/Cutwail – The Art of Spamming (Part 1 of 5)

by David Sancho (Malware Researcher)

"Unless you’ve been off the internet for the last seven years, you’ve probably heard of the massive security problem that botnets have become. These large collections of infected computers commanded by criminal outfits can launch coordinated attacks, host malicious websites or send spam… lots and lots of spam. If you actually ARE coming onto the internet for the first time in seven years, welcome back, and I hope you bought Google shares back in 2002; they’ve been doing quite well.

One of the biggest spamming botnets out there is Pushdo. This botnet has managed to stay under the radar since 2007 even though it has been reported to be responsible for a huge percentage of the spam worldwide. It has even managed to make it consistently to the Top 5 largest botnets without ever reaching number one. There are reports of 7.7 billion spammed emails per day coming from this botnet, which puts it in the Top 2 largest spamming botnets worldwide. Poor Pushdo, always the bridesmaid, never the bride!"

Full article - http://blog.trendmicro.com/

>>>>>>>>>>>>>>>>>

[Peaches]

May13

Pushdo/Cutwail – From Russia with love [Art of spamming] Part 2

by Robert McArdle (Senior Malware Researcher)

"Russia has always been famous for some of its better known exports such as Oil, Gas, Vodka and Andrei Arshavin (for our non-European readers, he kicks a leather ball around a pitch without wearing any body armour). Unfortunately nowadays we can add spam botnets to that list. The famous Storm botnet from 2008 had strong links to the so-called Russian Business Network operating out of St.Petersburg, and from our research it appears that Pushdo is linked to the Moscow area.

Like other spam botnets Pushdo’s spamming component, known as Cutwail, sends spam in waves, each advertising a particular service. Normally these consist of porn, pharmacy spam etc – but it was when we started to see ads for Salsa classes and Construction services that we became really interested."

TrendMicro - http://blog.trendmicro.com/

>>>>>>>>>>>>>

[Peaches]

May18

Pushdo/Cutwail – Can’t touch this (Part 3 of 5)

by Robert McArdle (Senior Malware Researcher)

"We’ve all been there. Your scheduled scan displays a popup with text similar to

“A malicious file c:\definatelyNotAVirus_Honest.exe has been detected on your computer”

On finding a malicious file some network administrators will even proactively submit suspicious files to multi-scanner online services such as “Virus Total” - which will scan the file with 40 or so different vendors and give the files detection results.

Notice the word that has been used four times above – file. One of the core modules of antivirus technology is based on scanning executable files – which is why Pushdo goes out of its way to avoid them whenever possible.

We’ve mentioned previously that Pushdo contains a lot of different sub-components, and that must mean lots of exes, dlls and sys files littering up the system, right? Wrong – in fact Pushdo only needs to write two files to disk and does everything possible to avoid touching the disk in any other way. To better understand - let’s step you through a standard Pushdo attack (keep an eye out for the amount of times it actually accesses the hard disk).

A user gets lured to a malicious site triggering a series of exploits that injects the Pushdo installer directly into memory.

Pushdo copies itself as a single file to the System directory.

Right after this, and on every boot, it downloads other malware components - but keeps them in memory, never writing them to disk

One of these malicious components downloads a kernel mode rootkit, which is installed as a device driver in the system."

full article at TrendLabs - http://blog.trendmicro.com/

[Peaches]

May20

Pushdo/Cutwail – Sniffing for the win (Part 4 of 5)

by David Sancho (Malware Researcher)

Check out the first, second, and third part of this report.

"The bad guys behind this botnet are sly and evil, you have to give them that!

From their end, this is just pure business. They cater to Russian companies to advertise their services, be it a law firm or a dance academy, but they have a problem: how to ensure that those spammed messages have been delivered? Well the Pushdo gang have come up with a way of doing just that - by sniffing all emails being sent from every infected machine. That’s right - they added an inbuilt network sniffer to the growing list of compontents of the Pushdo threat

When the computer first becomes infected, one of the modules drops a device driver (”tcpsr.sys“) that intercepts all outgoing email traffic being sent and logs the recipients of each message. Every now and then, it then sends this information to a server that collects all this data allowing the gang to know exactly how many mails for each campaign have been sent."

Details at TrendLabs - http://blog.trendmicro.com/