Without mysteries, it can not survive
Archive for June 2010
This morning, i received an email which COULD BE sent(thank Joyce,:P) from the admin of the web site to ask about this ddos attack. I assumed he is the admin. I replied that email. Till now, there is no reply yet. Maybe I’m being cheated. :(
Hope the real admin could get some idea from the following info.
Pushdo just released a new module, named “restyle_bot”.
Analysis will be followed. :P
Again, the mail sniffer module server ip changed to 64.120.179.82.
This is the mail sniffer module of Pushdo Botnet, it is back.
After compared with the old one, only the hard-coded server ip changed to 218.93.205.238.
Thanks to the Pushdo Botnet Tracker, I could intercept the latest Pushdo modules.
The module name is “google_ddos”.The working module was being downloaded by Pushdo from 2010-06-23 14:55:13. And it had 2 updates in only 1.5 hours. It could launch a ddos attack to the website, in this case, it is hyipinvestment.com.
Now(2010-06-23 17:24:32), the web site is down. I tried to contact the site admin to report this attack, but i couldn’t find any email address. too bad. :(
Notice:
I’ll not reveal any detail info about the tech side of this attack until the website admin could contact me and stop this attack. And, if the web admin could reach me via grep1025@gmail.com, i could help them to stop this attack.
Update:
More pushdo C&C server got updates.
From the latest result of Pushdo(magadan) Tracker, there is a new module named “botloader” has been released last night.
From the above tracker result, we could notice that, the module is updated from different Pushdo C&C servers but only one vendor got updated. That means, there will be only a small part of Pushdo/Cutwail/Webwail Botnet will try to download this module. And, from the “entry date”, we could possibly know that, the Pushdo C&C servers are not actually updated at the same time. The longest interval is around 10 hours. That means the author(s) updated them group by group.
This “botloader” will download 4 possible other malicious bot samples. The 4 URLs are following:
hxxp://89.149.223.229/dm/files/aukhrfbv.exe
hxxp://89.149.223.229/dm/files/hftywmn.exe
hxxp://89.149.223.229/dm/files/knwtxtk.exe
hxxp://89.149.223.229/dm/files/sdknfhl.exe