4 February 2010 No Comment

Pushdo has been in the news lately as the culprit of a mass Denial of Service attack against a variety of well-known web sites. Some articles have documented this recent attack extensively. After spending some months last year studying and monitoring the Pushdo botnet and after checking these latest samples, we can affirm that this attack does not come from Pushdo.

First off, Pushdo is a downloader malware that reports often to its Command & Control server. The DDoS malware is a spambot. There is this spambot used by Pushdo to spam massively that the av industry has dubbed Cutwail. Even though that might be the one, comparing our Cutwail samples and the new DDoS spambot, there is no convincing reason to believe they are related.

 The common detection name used for this is Harebot or Shgray but there is a reason why people are putting the tag Pushdo onto this new threat. Some AV vendors are detecting it as Pandex and that was another name for Pushdo so that’s where the name association came from.

It might seem like a small point to make but it’s an important one – Even if the new spambot is an evolution of Cutwail (something not yet proven), it means that it’s not the botnet owners DDoSing but the people behind the mass-mailing operation.

These two groups might be one and the same or two entirely different organizations. In any case, the reason to create a DDoSing spambot is still an enigma to researchers.

Feel free to comment on this blog if you have an interesting theory about it.

Post from: TrendLabs | Malware Blog - by Trend Micro

The Pushdo Puzzle – DDoS or not DDoS?