Threat Research

24 Hour Review: Pushdo diversifying, cashing in

By Derek Manky | January 29, 2010

We have written much on Pushdo and its associated spamming component Cutwail over the years: for in-depth information on these botnets, check out our analysis. Cutwail has been observed with many spam campaigns over the past year, and today is no exception. As of writing, we observed 6 separate e-mail campaigns being sent from different Cutwail binaries -- all within the last 24 hours. The images below show the said emails, with a description. Since the campaigns range from malware to links and scams with different affiliate identifiers, it is likely that Pushdo/Cutwail is operating spam services for not just one or two customers.


Email 1: DHL campaign invoice attachment, Sasfis

_ _

13_Email 2: DHL campaign invoice attachment, Sasfis_

_ _

The above two emails are the infamous DHL campaigns, often associated with a similar UPS template. In the past, these campaigns have been observed to spread Bredolab, Zeus/ZBot, Pushdo/Cutwail itself, and now Sasfis. We just posted an analysis on Sasfis, so have a look here for more details on this emerging botnet. Both Email 1 & 2 spread the same Sasfis binary (that is, they are using the same b= botnet identifier and C&C servers), however, have slightly different templates as you can observe. This version of Sasfis is slightly different from the one we analyzed - it shuffles parameters a bit, and is currently downloading Hiloti - a trojan similar to ZBot.

11_Email 3: Ecard attachment from 123greetings, FakeAV download_

_ _

The next email shown above spreads through typical fake greeting cards. Buzus used a similar technique, discussed here in our January 2010 Threat Landscape Report (Christmas Cards through This binary is actually a FakeAV loader, which connects and downloads a product called "Security Tool". Fortinet detects this attachment / FakeAV loader as "W32/FakeAV.ACP!tr".


Email 4: VISA phish

_ _

This next email is a classic phishing technique, appearing to come from VISA. It goes on to claim that the card was fraudulently used, and that a form needs to be filled out by the authenticated user. While the plaintext link shows a top level domain of "", the actual link - anchor reference - points to "". Always be on the lookout for this, and remember that such unsolicited requests should not be followed. Notice that the link includes a reference and email ID used for tracking.

12_Email 5: MSN to Cheap Watches_

_ _

Email 4 shows an email appearing to come Microsoft, telling the user that they have subscribed to a "MSN Features" feed. The social engineering trick here is to dupe the user into not wanting this spam, by clicking on the "unsubscribe" link. All links provided in the email point to "", a replica watch site under the name of "Watch Store".


Email 6: Drugs for sale - Best for you health

The last email we observed Cutwail to send out within the last 24 hours was very simple, providing a link for the user to click on. This link redirects to "", a site under the name of "Best for you health". This is a classic pharmacy site, with an affiliate identifier pushed through to hand out appropriate commision payouts if users are duped into buying any of these drugs. Cyber criminals running illegal pharmaceutical sites often keep them alive by registering thousands of domains which point back to servers that proxy HTTP content from further upstream servers (motherships). This link (""), has the same characteristics as those automatically registered in Canadian Pharmacy campaigns -- using two dictionary words -- using select registrars for safe-havens. Read more here: single IPs often host the same content as shown above in Email 5 & 6 (watches, shoes, pirated software and pharmacy).

This is all happening in parallel - that is, Cutwail's C&C servers are returning different templates depending on which botnet they belong to. This is a sign of diversification, so they can keep up with growing demand on their spamming services.

Thanks to Fortinet's Kyle Yang for his binary and spam analysis.

Join the Discussion