Pushdo/Cutwail – Sniffing for the Win (Part 4 of 5)

Check out the first, second, and third part of this report.
The bad guys behind this botnet are sly and evil, you have to give them that!
From their end, this is just pure business. They cater to Russian companies to advertise their services, be it a law firm or a dance academy, but they have a problem: how to ensure that those spammed messages have been delivered? Well the Pushdo gang have come up with a way of doing just that - by sniffing all emails being sent from every infected machine. That’s right–they added an inbuilt network sniffer to the growing list of compontents of the Pushdo threat
When the computer first becomes infected, one of the modules drops a device driver (”tcpsr.sys“) that intercepts all outgoing email traffic being sent and logs the recipients of each message. Every now and then, it then sends this information to a server that collects all this data allowing the gang to know exactly how many mails for each campaign have been sent.
An appropriate side effect for them is that Pushdo increases their database every time the user sends a legitimate email from the infected PC, as the recipient is being sent along with the rest of the sniffed data. The sniffer driver is deleted from the disk immediately after becoming active.
This is (continue reading...)