HKCert
Security Blog

Pushdo Botnet Detection and Cleanup in Hong Kong

Release Date: 27 / 09 / 2013
Last Update: 11 / 12 / 2013

 

1. HKCERT operation on Pushdo botnet infection

 

In May 2013, HKCERT received a report from CERT Austria (CERT.at) about the Pushdo botnet infection in Hong Kong. 307 HK IP addresses are reported to have connected to a security researcher owned sinkhole detection system, which indicate that the machines on those IP addresses may have been infected by Pushdo malware, and become part of Pushdo botnet and thus made those connections. Upon receiving the reports, we have notified the ISP which administrate those IP addresses to alert their users about the infection.

 

2. Impact of Pushdo botnet

 

Pushdo malware was discovered as early as 2007 and used to distribute SpyEye or Zeus malware [1]. It can be acted as a malware dropper, i.e. the machine infected with Pushdo malware will download other malicious files, which are mainly Wigon rootkit or Cutwail spam malware [2].

 

Cutwail is infamous for sending spam email from the infected machines. In both Q1 and Q2 2013, Cutwail topped the botnets for spamming, causing more than 6 million new infections in Q2 [3 PDF].

 

Pushdo malware is usually distributed via malicious email attachment, or drive by download exploit through embedded link to malicious website.

 

 

Figure 1  Messaging botnet infections in 2013 Q2 (source: McAfee Threats Report: Second Quarter 2013)

 

3. How to detect and remove Pushdo malware

 

If you suspect that your computer was infected by Pushdo malware, please follow the steps below to perform a full system scan with Microsoft Safety Scanner:

  1. Visit http://www.microsoft.com/security/scanner/en-us/, and click "Download Now" to download Microsoft Safety Scanner.


     
  2. Double click and run msert.exe. You need to accept the license agreement by checking the "Accept all terms of the preceding license agreement" check box before installation process. If you have accepted the agreement, click “Next” to proceed.


     
  3. Select “Full scan” and click “Next” to start scanning.


     
  4. Scanning is in progress. It can last for several hours depending on how much files in your computer.


     
  5. If your computer is not infected with any malware, the result will show that no viruses, spyware, and other potentially unwanted software were detected.


     
  6. If your computer is infected with Pushdo malware, it will be detected and removed by the scanner.


     

4. Reference

 

You can find the reference noted above and other technical details about Pushdo botnet below.

  1. Pushdo botnet is evolving, becomes more resilient to takedown attempts, ComputerWorld
  2. Trojan.Pushdo Variants, IBM Internet Security Systems
  3. [PDF] McAfee Threats Report: Second Quarter 2013, McAfee
  4. [PDF] McAfee Threats Report: First Quarter 2013, McAfee
  5. [PDF] PushDo Evolves Again: Enhances Evasion with Domain Generation Algorithm (DGA), Damballa