Blog

The purpose of this series of articles is very simple, to give our readers an idea about the current geographical distribution of command and control coordinates for the some of the top botnets.  Based on this data I'll try to estimate whether it is possible to shutdown these botnets by puling the plug for these servers.  The Botnets which will be discussed in these articles are Pushdo, Xarvester, Rustock, Koobface and Ozdok.  These stats are based on my sandnet logs for the last 3 months or so.  By no means is this list complete but it will give our reader a reasonable idea about the current motherships for these botnets.

Pushdo

Here is the list of Pushdo CnCs arranged in tabular form:

Sr.no	ISP	IPs	Country
1	INTERSERVER INC	66.45.246.146	NEW JERSEY, USA
2	UBIQUITY SERVER SOLUTIONS	69.147.239.106	NEW YORK, USA
3	MONITORING	94.103.4.217 94.103.4.230	MOLDOVA, REPUBLIC
4	SOFTLAYER TECHNOLOGIES INC	174.36.201.82 208.43.154.226 208.43.162.82 208.43.162.84	TEXAS DALLAS, USA
5	BLUEJEEP.COM	66.197.167.21	MASSACHUSETTS, USA
6	ARABSGATE	66.96.214.197	SAUDI ARABIA
6	LIMESTONE NETWORKS INC	69.162.79.82 69.162.64.146	TEXAS DALLAS, USA
7	NETWORK OPERATIONS CENTER INC	66.197.131.69	PENNSYLVANIA, USA
8	THEPLANET.COM INTERNET SERVICES INC	74.53.42.61 75.125.213.202 74.54.224.242 74.54.77.82 74.54.135.202 75.125.238.10	TEXAS DALLAS
9	2086 WESTMORE AVE	69.64.67.194	QUEBEC MONTREAL, CANADA
10	GODADDY.COM	72.167.49.117 68.178.255.165 97.74.115.222	ARIZONA SCOTTSDALE, USA
11	ABACUS AMERICA INC	216.55.176.45	CALIFORNIA SAN DIEGO, USA
12	ZLKON	94.247.3.46 94.247.2.95	LATVIA
13	BRUCE GARRET	208.66.194.232	FLORIDA ST. PETERSBURG, USA
14	APS COMMUNICATION	209.66.122.238	CALIFORNIA SAN JOSE, USA
15	UATELECOM ISP	91.203.92.7	UKRAINE

 

The first thing which is clearly visible from the above stats is that Pushdo is no longer relying on 1 or 2 ISPs. The list above has about 29 CnC servers distributed all across the globe. What are our chances of shutting down the server in Ukraine, Latvia or Arabia?

Just imagine for a minute that all of these data centers pull the plug at once. What will happen then?  Before the McColo shutdown, Pushdo  used to have a long list of hard coded CnC IPs but it is no longer the case. Some recent analysis (Tip o' the hat to our friend Ross Thomas over at SophosLabs for the heads up) shows that new variants also contain a domain based fallback mechanism. Guess what; the name of this fallback domain today is 'fireasseye.com'.  It looks someone from FireEye made *someone* really upset.  It can't be me ..:). 

Anyway, what it means is that even if the Pushdo command servers are shutdown all at once, the Pushdo guys can recover their botnet using this fallback domain. The situation in the case of 'Cutwail' is even worse.  As many of the readers of this blog will already know, 'Cutwail' is one of the child downloads of Pushdo and is its actual spam weapon.  Pushdo on start up silently downloads Cutwail and injects that into other processes, normally 'svchost.exe'.  It never tries to install Cutwail permanently on the infected system. What this means is that even if all Cutwail CnCs are killed, the next day Pushdo can download another variant pointing to some other server.  One can imagine what happened after the rogue ISP 3fn  (which was serving many of Cutwail CnCs) was shutdown. 

What if somehow Pushdo fallback domain(s) is taken away from the bot herders? I guess this will be a partial success. We have already seen that Pushdo is one of the active members of Virut , Bredolab and Exchanger botnetwebs. These top level malware droppers might again drop another instance of pushdo on to the infected machine, reporting to a completely different IP block. Killing the beast is not that easy.

Atif Mushtaq @ FireEye Malware Intelligence Lab

Question/Comments : research SHIFT-2 fireeye DOT COM