Wei Wang, RAP Team Jia Wang, RAP Team Jiaying Su, RAP Team First discovered in 2007, the botnet malware known as Pushdo quickly became known as one of the most prolific sources of email spam in history. At its peak, it was estimated that Pushdo was singularly responsible for sending up to 10 billion spam messages per day. The Pushdo module itself functions as a mildly complex downloader that allows it to fetch other components and tools from its command-and-control (C&C) server. The actual mechanism for sending spam is contained inside some... [Read More]
by RSS Wei Wang  |  Sep 22, 2014  |  Filed in: Security Research
Tags: botnet bot pushdo
It's been two months since we revealed the 3rd Generation Pushdo/Cutwail/Webwail Botnet communication protocol and encryption. Recently, while researching a new bot (GoolBot), we found another Pushdo-like malware spreading with its help. After reversing, it became clear that it was a brand new evolution of the infamous multi-malware loader, for two essential reasons: While it used the 2nd generation Pushdo communication protocol (with minor varations), it encrypted its communications and routed them through the SSL port (443); while this encryption... [Read More]
by RSS Kyle Yang  |  Feb 04, 2010  |  Filed in: Security Research
While looking at some Pushdo botnet messages recently, I noticed a repeating pattern in the data. Here is an example, taken from an area where the pattern is most obvious: 0340 13 63 cc 69 13 63 cc 69 13 63 cc 69 53 63 cc 2b .c.i.c.i.c.iSc.+ 0350 13 63 cc 69 13 63 cc 69 13 63 cc 69 13 63 cc 69 .c.i.c.i.c.i.c.i 0360 13 63 cc 69 13 63 cc 69 13 63 cc 69 13 63 cc 69 .c.i.c.i.c.i.c.i This looked to me like a flaw in the encryption that potentially could be used for detection purposes. It might even be possible to automatically break the encryption. It... [Read More]
by RSS Doug Macdonald  |  Dec 15, 2009  |  Filed in: Security Research