FireEye Malware Intelligence Lab

Seeing SoftLayer in the above ISP list was something which made me quite excited. SoftLayer has a good track record of quickly responding to abuse notifications, so I knew that taking these servers offline would not be a big deal.  But this time I was hoping for something more.  Keeping in mind the good relationship between FireEye and SoftLayer, we requested access to one of the CnCs.  Nick Hale from the SoftLayer abuse department replied very quickly based on the evidence provided by FireEye. He made a decision to work with us in obtaining important information before shutting down all the Pushdo CnC servers in their network. Before we get into the details of what was discovered, I'd like to take a moment to thank SoftLayer, and especially Nick Hale, who offered full collaboration on the matter.  More actions like this from victimized ISPs will definitely keep the bad guys on their toes.

An interesting aftereffect we noticed was that the Pushdo C&C servers hosted at other providers were also unavailable the next day. This was probably a combination of the providers shutting them down or the bad guys abandoning the servers (as a result of the C&C shutdown at Softlayer). As of Jan 18, 2010, all of the US servers listed above are offline. Only two servers located in 'Netherlands' are still up and running at the time of writing this article (see update below).

These are the live servers:

94.75.233.172
94.75.233.171

WHOIS for 94.75.233.172 is like this:

inetnum:   94.75.233.0 - 94.75.233.255
netname:   LEASEWEB
descr:     LeaseWeb
descr:     P.O. Box 93054
descr:     1090BB AMSTERDAM
descr:     Netherlands
descr:     www.leaseweb.com
remarks:   Please send email to "abuse@leaseweb.com" for complaints
remarks:   regarding portscans, DoS attacks and spam.
remarks:   assignment LEASEWEB 20080723
country:   NL
admin-c:   LSW1-RIPE
tech-c:    LSW1-RIPE
status:    ASSIGNED PA

mnt-by:    LEASEWEB-MNT

source:    RIPE # Filtered

Now back to the main storyline.  Infiltrating Pushdo was not something we took on lightly simply for the sake of fun.  There were some important goals behind all this.

Goal # 1

To grab the server components and all related files. This information would be essential to understanding this botnet's internals.

Goal # 2

To get insight into the people behind Pushdo, including their origin and business model. According to Softlayer's records, the Pushdo CnC servers were based out of Germany (Berlin). A quick Google search on the company name and the registered owner name did not reveal anything meaningful. Not too surprising given the fact that these guys typically use stolen credit cards for purchasing these servers and do their best to leave no clues behind.

What did I find inside Pushdo's CnC server? What was running as a CnC server? Did I get any clues about the guys behind Pushdo?  Stay tuned as I will discuss this in my next article...

Update Jan 22, 2010, 10:00 AM PST:

Thanks to the quick action by research community, this morning authorities at LeaseWeb, Netherlands also pulled the plug for CnCs hosted within their facility.  

--------------------

Atif Mushtaq @ FireEye Malware Intelligence Lab

Detailed Question/Comments : research SHIFT-2 fireeye DOT COM