More than 300 Web sites are being pestered by infected computers that are part of the Pushdo botnet, according to security researchers.
The U.S. Federal Bureau of Investigation, Twitter and PayPal are among the sites being hit, although it doesn’t appear the attacks are designed to knock the sites offline, said Steven Adair, of The Shadowserver Foundation, a group that tracks botnets.
Shadowserver was tipped off to the Pushdo issue by Joe Stewart, director of malware analysis at vendor SecureWorks.
Pushdo, which is also known as Pandex or Cutwail, has been around for about three years, according to a report from Trend Micro.
Computers infected with Pushdo are used to send out spam, but the malware is capable of downloading other harmful code to a computer.
Pusho appears to have been recently updated to cause computers infected with it to make SSL (Secure Sockets Layer) connections to various Web sites. SSL is an encrypted protocol used to protect information exchanged.
The bots start to create an SSL connection and then disconnect, a process that is repeated, Adair said.
Serving up SSL connections puts more of a burden on a Web site than HTTP connections, Adair said, but the traffic has been so sporadic that some large Web sites didn’t even notice.
“Despite how noisy it is, the traffic is still too infrequent and not large enough to really be seen as what we would think is an intentional DDOS attack,” Adair said in an e-mail exchange.
“Much smaller botnets are capable of generating far more traffic and causing more of an impact to Web sites than what is being done with Pushdo.”
The traffic, however, is significant and results in large Web sites getting millions of hits across hundreds of thousands of IP (Internet Protocol) addresses.
“This might be a big deal if you’re used to only getting a few hundred or thousands of hits a day or you don’t have unlimited bandwidth,” Adair wrote on Shadowserver’s blog.
One option for Web sites is to change their IP addresses, but that may only be a temporary fix. “We have also had numerous people write in offering assistance and feedback on ways to slow or stop these attacks,” Adair said.
“We hope to put out an updated post that can help our system administrators associated with these Web sites soon.”
Cutwail’s spam blitz
The Cutwail and Grum botnets are front-and-centre in some of the new campaigns launched by spammers, according to the most recent (January 2010) MessageLabs Intelligence Report.
“At its peak, spam related to the New Year accounted for 7.7 percent of all spam on a single day — and more than 50 percent of New Year related spam was sent by the Grum and Cutwail botnets combined,” said the report published by security company Symantec Corp.
Most of the spam, it noted, focused on the typical special New Year offers for pharmaceuticals, fashion accessories and watches, weight loss products, loans and jobs.
Spammers are now latching onto Valentine’s Day-related topics, the report noted.
MessageLabs Intelligence has estimated that a whopping 83.4 per cent of spam originated from botnets at the end of 2009, with the remainder originating from free Web mail accounts.
More than 79 percent of Web mail spam came from accounts with three well-known free service providers, it said.
“Despite the best efforts of the Web mail providers to prevent this abuse of their services, there is still a viable market in the underground economy for buying and selling legitimate and usable Web mail accounts,” said Paul Wood, MessageLabs Intelligence senior analyst, in a statement.
The shady (Lethic) vanishes
In December 2009, MessageLabs began tracking a new botnet called Lethic, which accounted for 2.5 per cent of all spam.
Within the first week of January, spam from Lethic increased to less than four percent of all spam and then peaked at 5.25 percent of all spam on 8 January before mysteriously vanishing from the scene.
“Lethic seems to have disappeared almost as quickly as it arrived,” Wood said. “The spam it had been sending was roughly an even mix of pharmaceutical and replica watch spam. Interestingly, the Bagle botnet was sending the same spam with the same hyperlinks as
Lethic and over the same time period.”
These similarities, he said, led MessageLabs researchers to suspect that Lethic came from the same creators as Bagle. Or else, “the people behind the spam may have hired the resources of more than one botnet gang to increase output.”
MessageLabs Intelligence also reviewed how spam ads for medication supposedly meant to treat male impotence changed over the past year.
It found the spammers’ price peaked for the medication at $6 per 100 mg in early 2009 and then rapidly declined during June and July 2009 to between $2 and $3. The price stabilized at $1.60 at the end of 2009 and remained there through the beginning of 2010.
Here are other MessageLabs report highlights:
- Spam – In January 2010, the global ratio of spam in email traffic from new and previously unknown bad sources was 83.9 per cent (1 in 1.2 emails), a decrease of 0.3 percent since December 2009.
- Viruses: The global ratio of viruses in e-mail traffic from new and previously unknown bad sources was one in 326.9 emails (0.31 percent) in January, a decrease of 0.03 percent since December 2009. In January 13.2 percent of email-borne malware contained links to malicious Web sites, a decrease of 5.9 percent since December.
- Phishing: In January, phishing activity was 1 in 562.3 emails (0.18 percent) a decrease of 0.11 percent since December 2009. When judged as a proportion of all e-mail-borne threats — such as viruses and Trojans — the proportion of phishing emails had decreased by 14.3 percent to 65.3 percent of all email-borne threats.
- Web security: Analysis of web security activity shows that 41.4 percent of all web-based malware intercepted was new in January, an increase of 0.6 percent since December.
MessageLabs Intelligence also identified an average of 1,760 new Web sites per day harbouring malware and other potentially unwanted programs such as spyware and adware, a decrease of 56.2 percent since December.
Spam levels drop in Canada, US
On a slightly positive note, spam levels in Canada decreased to 89.7 per cent of all e-mail, and in the U.S. to 91.6 percent. Spam levels fell to 90.0 percent in the U.K.
Denmark continues to remain the most spammed country in the world with spam accounting for 94.8 per cent of all e-mail. Still even in Denmark, spam levels fell by 0.6 percent in January.
In the Netherlands, spam levels reached 92.4 percent, while spam levels in Australia reached 90.6 percent. Spam levels in Hong Kong reached 92.1 percent, and in Japan 88.2 percent.
Virus activity in China rose by 0.13 percent to 1 in 121.4 emails placing it at the top of the table for January.
Virus levels for the U.S. were 1 in 440.3 and 1 in 383.1 for Canada. In Germany, virus levels were 1 in 271.6, 1 in 496.4 for the Netherlands, 1 in 644.1 for Australia, 1 in 331.9 for Hong Kong and 1 in 396.5 for Japan.
The U.K. was the most active country for phishing attacks with 1 in 253.6 e-mails.