Pushdo botnet spams malware analysis site, researchers find

Share this article:
The Pushdo malware detects when users are running a malware monitoring tool called FakeNet.
The Pushdo malware detects when users are running a malware monitoring tool called FakeNet.

Saboteurs behind the Pushdo botnet are sending spam to a website meant to educate users on malware, researchers have found.

Blue Coat Systems researchers Chris Larsen and Jeff Doty co-authored a blog post on Wednesday, which detailed how the site, PracticalMalwareAnalysis.com, was being targeted with Pushdo-related spam.

Since the malware appeared in 2007, Pushdo has been repeatedly used to deliver data-stealing trojans, like Zeus and SpyEye, via its spamming module Cutwail. And in this instance, the Pushdo bonet causes infected computers to spam out emails containing the trojan Zeus, researchers found.

PracticalMalwareAnalysis.com was set up to market a book of the same name written by Michael Sikorski and Andrew Honig. The book is meant to provide readers with a “hands-on guide to dissecting malicious software.”

In addition to spreading Zeus, Pushdo operators coded the malware so that infected computers running a malware monitoring tool called FakeNet  – which the authors of “Practical Malware Analysis” created and released with the book – spam the companion site with emails. FakeNet allows analysts to create a "fake" network capable of tracking malware.

In a Thursday follow-up email with SCMagazine.com, Doty wrote that he saw a spike in Pushdo infections on Aug. 26, which likely means a spam campaign was active that day to spread the malware. As of Wednesday afternoon, however, users were still downloading the malware, he said.

“After it compromises your machine, it starts to send out spam to all sorts of people,” Doty wrote of Pushdo. “That spam contains an attachment that is a Zeus payload."

[An earlier version of this story incorrectly stated that Pushdo attackers compromised the Practical Malware Analysis website, when instead, the botnet was used to spam the site.]

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.