The disruption of the Pushdo botnet has not stopped spammers, despite nearly two-thirds of the botnet's command and control servers being taken out of commission.
From the shutdown of McColo to last week's disruption of the Pushdo botnet,
spammers have continually found ways to stay in business.
Nearly 20 of the 30 command and control (CnC) servers associated with Pushdo
were taken offline last week due to efforts by security vendor LastLine.
The servers were supported by eight hosting providers, some of which did not
respond to the vendor's requests for action.
According to Thorsten Holz, senior threat analyst with LastLine, the goal of
the company's research was not to completely take down the botnet, but
to gain insight into Pushdo's CnC
At full strength, the botnet was believed to be responsible
for between 7 and 10 percent of all spam.
"We worked with different hosting providers and [got] a quick response
from many of them, but unfortunately not all providers reacted on our abuse
requests," he said. "Especially the hosting providers from China
did not react at all, which is kind of disappointing.
"Better cooperation and coordination would help in the future; we are
in the process of building better relationships with more hosting providers,"
While roughly two-thirds of Pushdo's servers were knocked
offline, spam from the botnet is recovering, according to M86 Security. In
addition, Matt Sergeant, senior anti-spam technologist with Symantec Hosted
Services, said overall spam levels today stand relatively
"Considering the fact that the entire botnet was not taken down thanks
to these bulletproof hosting companies, it appears that the botnet was still
able to operate and create a good deal of traffic," said Fred Touchette,
senior security analyst at AppRiver. "Virus levels are down overall on the
other hand, but not much, and it's unclear whether or not this is due to the
In order for a botnet shutdown to be effective, all CnC servers have to be
taken down simultaneously, said Gunter Ollmann, vice president of research at
"If even one single CnC server is left up, the botnet will still be
operational," Ollmann said. "Then, once the botnet operator has spun
up some of his spare or reserve CnC servers, he simply pushes a configuration
file update down to all the victim computers within the botnet with the list of
the new CnC servers. The only other way to permanently shut down a botnet is to
locate and remove the operators themselves-but even this has problems as
evidenced in the almost comic way in which the botnet operators behind the
Mariposa botnet were able to resume control [temporarily] after being arrested."
In response to the takedown, Touchette expects those in control of Pushdo
will continue to spread their control servers across various countries and
hosting companies to guarantee uptime.
"They may even begin to develop new code for their botnets which change
the way they can communicate with each other in order to protect their numbers,"
he said. "Something like a peer-to-peer communication between the bots
themselves would eliminate the need for centralized command and control
The list of command and control servers is not static, added Ollmann, and
can be dynamically changed at any time.
"Most botnet operators factor in a certain degree of attrition to their
CnC infrastructure and are therefore experienced in quickly spinning up new and
additional CnC servers rapidly," he said.