Team of academics cripples PushDo botnet

An international team of academics researching global spam has managed to cripple a botnet as a by-product of its research.

The team, made up of professors and PhD students at the University of California, Santa Barbara and Germany's Ruhr-University Bochum, was conducting a joint research project analysing spam distribution.

Part of this was running several honeypots (open machines online designed to catch malware) and looking for patterns in the data.

By matching some of the malware discovered against the free databases maintained by Anubis the team was able to identify the 30 command and control servers used by the PushDo botnet, which is responsible for large volumes of spam.

"Pushdo has a long history of badness, and some analysis reports date back to as far as 2007," said assistant professor Thorsten Holz.

"This piece of malware acts as a dropper, and downloads additional components which can then carry out different tasks, like for example the Cutwail component which sends out spam mails."

After making sure of its evidence the group went to the hosting companies and informed them of the situation. In all, 20 of the 30 servers identified were shut down and security researchers at M86 said that the botnet has been crippled.

"This co-ordinated takedown has had an immediate impact on Pushdo's spam output," said Phil Hay, lead security researcher at M86.

"Pushdo has been responsible for wave after wave of malicious spam campaigns in recent months. Still, we must sound a note of caution. Previous experience has taught us that these botnet take downs are short lived."

Holz told V3.co.uk that the hosting companies were helpful in taking down the servers, but agreed that the botnet might not be out of commission for long.

"Spammers are making a lot of money," he said. "It's very likely that the controllers will work to re-establish themselves and will move their infrastructure elsewhere."