Botnet takedown may yield valuable data
Researchers are hoping to get a better insight on botnets after taking down part of Pushdo, one of the top five networks of hacked computers responsible for most of the world’s spam.
Thorsten Holz, an assistant professor of computer science at Ruhr-University in Bochum, Germany, said his group is working on an academic paper focused on methods to figure out what type of malicious spamming software is on a computer that sent a particular spam e-mail.
They looked at several of the major spamming botnets, including Mega-D, Lethic, Rustock as well as Pushdo and Cutwail, two kinds of malware that appear to sometimes work together as part of the same botnet.
Holz said they found that Pushdo had a special characteristic in that more than half of its command-and-control servers were concentrated within one hosting company. Botnets use command-and-control servers to issue instructions to the infected PC, such as uploading spam templates and the target e-mail addresses to send spam.
About 15 of Pushdo’s 30 servers were with that one hosting provider, which has now taken those servers offline and shared the data contained within them with Holz and his team. Their analysis is still ongoing, but they uncovered some 78 GB of plain text e-mail addresses, and that up to 40 percent of the infected computers were in India, a finding Holz said was surprising.
Other data within those servers should shed greater light on how Pushdo works. “We will analyze all the log data we have because I think we can provide a good overview of a modern spam operation,” Holz said.
Of the eight hosting providers that had Pushdo’s command-and-control servers, six took action to shut Pushdo down. But two hosting providers based in China did not respond to e-mail requests to turn off Pushdo or even acknowledged that they had received a complaint, Holz said. Although the spam volume from Pushdo has dropped, it is likely that its operators will be able to ratchet it up again.
But Holz and his team now know which computers are infected with Pushdo. They’re in the process of contacting the ISPs connect those computers to the Internet. The ISPs can then notify those customers that their computers are infected and take steps to help them clean up their machines, Holz said.
Although it is likely Pushdo’s operators will be able to use the remaining servers that are still online to reconstitute the botnet, “if we can notify the victims of the compromised machines and get them cleaned, it still has a long-term impact,” Holz said.
Identifying which machines are infected and then remediating those computers is seen as crucial to fighting botnets. In Germany, the government has launched an initiative that involves eight major ISPs collaborating to send e-mails to their customers notifying them that their machines may be infected with botnet code, Holz said.
Holz also works as a senior threat analyst at LastLine, a security start-up run by academics from Institute Eurecom in France, the University of California at Santa Barbara and other researchers.
The company has several products aimed at analyzing malware and tracing botnet infections. LastLine maintains a “huge” database about malicious content on the Internet and a system that can, for example, identify Pushdo infections on servers and automatically send out abuse notifications to those hosting providers.
It also produces a data feed that can be integrated into Cisco networking gear and used to block access to infected servers, Holz said. Another tool for hosting providers can be used to identify infected customer machines and automatically send out notifications “so they can keep their network clean,” Holz said.
LastLine competes with other security firms that specialize in Web security and botnets, such as Websense and Dambala. Holz said LastLine will compete through its solid academic credentials and research.
“I think we can more quickly innovate,” Holz said.