EmailSafety.net - Botnet takedown may yield valuable data

Botnet takedown may yield valuable data

Anti-Spam Software

What is Spam?

Spam Laws

Spam Facts

User Tips

Common Email Scams

What Are Visuses?

Virus Prevention Tips

Anti-Virus Software

Basic Tips

Recent News

Researchers are hoping to get a better insight on botnets after taking down part of Pushdo, one of the top five networks of hacked computers responsible for most of the world's spam.

Spammers in the slammer

Thorsten Holz, an assistant professor of computer science at Ruhr-University in Bochum, Germany, said his group is working on an academic paper focused on methods to figure out what type of malicious spamming software is on a computer that sent a particular spam e-mail.

They looked at several of the major spamming botnets, including Mega-D, Lethic, Rustock as well as Pushdo and Cutwail, two kinds of malware that appear to sometimes work together as part of the same botnet.

Related Content

Holz said they found that Pushdo had a special characteristic in that more than half of its command-and-control servers were concentrated within one hosting company. Botnets use command-and-control servers to issue instructions to the infected PC, such as uploading spam templates and the target e-mail addresses to send spam.

About 15 of Pushdo's 30 servers were with that one hosting provider, which has now taken those servers offline and shared the data contained within them with Holz and his team. Their analysis is still ongoing, but they uncovered some 78 GB of plain text e-mail addresses, and that up to 40 percent of the infected computers were in India, a finding Holz said was surprising.

Other data within those servers should shed greater light on how Pushdo works. "We will analyze all the log data we have because I think we can provide a good overview of a modern spam operation," Holz said.

Of the eight hosting providers that had Pushdo's command-and-control servers, six took action to shut Pushdo down. But two hosting providers based in China did not respond to e-mail requests to turn off Pushdo or even acknowledged that they had received a complaint, Holz said. Although the spam volume from Pushdo has dropped, it is likely that its operators will be able to ratchet it up again.

But Holz and his team now know which computers are infected with Pushdo. They're in the process of contacting the ISPs connect those computers to the Internet. The ISPs can then notify those customers that their computers are infected and take steps to help them clean up their machines, Holz said.

Although it is likely Pushdo's operators will be able to use the remaining servers that are still online to reconstitute the botnet, "if we can notify the victims of the compromised machines and get them cleaned, it still has a long-term impact," Holz said.

Identifying which machines are infected and then remediating those computers is seen as crucial to fighting botnets. In Germany, the government has launched an initiative that involves eight major ISPs collaborating to send e-mails to their customers notifying them that their machines may be infected with botnet code, Holz said.

Holz also works as a senior threat analyst at LastLine, a security start-up run by academics from Institute Eurecom in France, the University of California at Santa Barbara and other researchers.

The IDG News Service is a Network World affiliate.

Recent News:

· Feds draw a bead on Russian behind Mega-D botnet
· Ransomware Attack Resurfaces to Hold Files Hostage
· Adobe Reader X Makes PDF Files Safer
· PayPal Users Beware of Holiday Phishing Scam
· McAfee Reports Malware at All-Time High

Site Map | Recent News | Related Sites