January 22, 2010, 10:23AM
Infiltrating the Pushdo Botnet
6 Comments
It's very rare that we researchers get a chance to explore the inner workings of a botnet command and control server. Detailed insight into the botnet server or command component can give us valuable information about the motives of the botnet and possibly the bad guys behind it. But granting access to these command and control servers often depends on the will of the hosting providers. So what happened in this case?
Recently, while I was casually monitoring logs from our MAX network to find out the current geo locations for Pushdo CnCs, I got these results for the last 30 days.
Editor's Pick
SOFTLAYER TECHNOLOGIES INC, USA
74.86.100.156
74.86.100.158
74.86.198.178
74.86.100.157
74.86.187.242
LIMESTONE NETWORKS INC, USA
216.245.203.122
216.245.213.194
216.245.219.202
69.162.90.170
69.162.68.114
69.162.90.130
69.162.92.162
69.162.104.250
69.162.84.186
69.162.113.18
LEASEWEB, NETHERLANDS
94.75.233.172
94.75.233.171
94.75.233.163
THEPLANET.COM INTERNET SERVICES INC, USA
74.54.77.82
VRTSERVERS INC
70.36.100.42
Seeing SoftLayer in the above ISP list was something which made me quite excited. SoftLayer has a good history of dealing with abuse requests so I knew that taking these servers offline would not be a big deal. But this time I was hoping for something more. Keeping in mind the good relationship between FireEye and SoftLayer, we requested that they grant us access to one of the CnCs. Nick Hale from the SoftLayer abuse department responded very quickly based on evidence provided by FireEye, and made a decision to give us access to this notorious server for a limited time before shutting down all the cnc servers. Before we get into the details of what was discovered, I'd like to take a moment to thank SoftLayer, and especially Nick Hale, who offered full cooperation on the matter. More actions like this from victimized ISPs will definitely keep the bad guys on their toes.
Apart from all this, an interesting thing we noticed was that the C&C servers hosted at other providers were also down the next day. This is probably a combination of the providers shutting them down or the bad guys abandoning the servers (as a result of the C&C shutdown at Softlayer). As of Jan 18, 2010. All of the US servers mentioned above are shutdown. Only two servers located in 'Netherlands' are still up and running at the time of writing this article.
These are the live servers:
94.75.233.172
94.75.233.171
WHOIS for 94.75.233.172 is like this:
inetnum: 94.75.233.0 - 94.75.233.255
netname: LEASEWEB
descr: LeaseWeb
descr: P.O. Box 93054
descr: 1090BB AMSTERDAM
descr: Netherlands
descr: www.leaseweb.com
remarks: Please send email to "abuse@leaseweb.com" for complaints
remarks: regarding portscans, DoS attacks and spam.
remarks: assignment LEASEWEB 20080723
country: NL
admin-c: LSW1-RIPE
tech-c: LSW1-RIPE
status: ASSIGNED PA
mnt-by: LEASEWEB-MNT
source: RIPE # Filtered
Back to the real story. Infiltrating Pushdo was not something to do simply for the sake of fun. There was some serious motivation behind all this.
Motive # 1
Grab the server component and all related files. This information was essential to understand this botnet's internals.
Motive # 2
Try to investigate who are the guys behind Pushdo, including their origin and business model. According to Soflayer records these server were based out of Germany (Berlin). Softlayer provided us with further details such as company and name of registered owner. A quick search on Google for those did not reveal anything meaningful. It's not a surprise since these guys normally use stolen credit cards for purchasing such servers, leaving no clue behind.
What I found inside Pushdo's CnC? What was running as a CnC server? Did I get any clues abut the guys behind? I would like to discuss all this in my next article. Stay tuned..
This post originally appeared on the FireEye Malware Intelligence Lab blog.
Commenting on this Article is closed.
Today's Most Popular
- Anonymous Leaks FBI, Scotland Yard Phone Call Detailing Hacking Investigations
- Video: New Banking Trojan Caught Breaking CAPTCHA
- Privacy Fail: Is Uncle Sam Encouraging Bad Security?
- Apple Ships Huge Set of Patches for OS X
- Market Fail: Regulations May Be Only Hope For Securing Critical Infrastructure
Most Commented Stories
Newsletter Sign-up
Take Our Poll
Follow Threatpost
 |  |  |  |
| Tumblr |
Comments
hmmm... interesting article, a little build-up and then a whole load of nothing. Maybe it should be published after it has been completed. What's the rush?
What's with the carrot dangling. This article had as much substance as candy floss. Some kind of filler on a slow news day?
oh the suspense
how amateurish
Fail !!!!!!!!
if ya wanna know, i been fighting the botnet and hackers since aug 2008. recently i found out that i am the command and control center of the botnet. the tcp/ip6 is whats now going on.
here is some info. all the info above is what my packets show. who is .... tell ...... i been recieving over 2000 incoming ips 24/7 since febuary before april. the hackers successfully used the dns servers to spread. it used strings in memory to hide itself. the botnet used certificates and cookie system to break through. the first major change in the worm happened nov 17 of 2009. danielle arrested, then 2 or more days of monitors going black for a sec through all my machines at different times(programming font and color codes) then my machines went through reboot loops that spread. and when i got back up on my machines, i noticed a change in the 2000 incoming IPS. they switched from high ports(linked to the parsings) to port 445 as the only port.
when i found eset.com(first to detect any part of the worm aka trojans)(after kasperty's short success aka generic keyloggers), it had a link that allowed me to see where my connection routes to. and even though im in montana, it showed me living in amsterdam.
thanx you admin alışveriş