{ "id": "20150422-4b48-415d-892f-55c0eab5bfee", "created_at": "2026-04-06T00:06:40.587496Z", "updated_at": "2026-04-10T03:23:51.979379Z", "deleted_at": null, "sha1_hash": "63b87d86ee2ab3b8190b652be318527e6a46292d", "title": "Researchers Kneecap ‘Pushdo’ Spam Botnet", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 62062, "plain_text": "Researchers Kneecap ‘Pushdo’ Spam Botnet\r\nPublished: 2010-08-27 · Archived: 2026-04-05 20:36:08 UTC\r\nSecurity researchers have dealt a mighty blow to a spam botnet known as Pushdo, a massive grouping of hacked\r\nPCs that until recently was responsible for sending more than 10 percent of all junk e-mail worldwide.\r\nAccording to security firm M86 Security Labs, junk e-mail\r\nbeing relayed by Pushdo (a.k.a. Cutwail) tapered off from a torrent to a dribble over the past few days. M86\r\ncredits researchers at LastLine Inc., a security firm made up of professors and graduate students from University\r\nof California, Santa Barbara, the Vienna University of Technology (Austria), Eurecom (France), and Ruhr-University Bochum (Germany).\r\nLastLine’s Thorsten Holz said his group identified 30 Internet servers used to control the Pushdo/Cutwail\r\ninfrastructure, located at eight different hosting providers around the globe. Holz said Lastline contacted all\r\nhosting providers and worked with them to take down the machines, which lead to the takedown of nearly 20 of\r\nthose control servers.\r\n“Unfortunately, not all providers were responsive and thus several command \u0026 control servers are still online at\r\nthis  point,” Holz wrote on the company’s blog. “Nevertheless, this effort had an impact on Pushdo/Cutwail,\r\nwhich you can also see in new Anubis reports generated today  by re-running the analysis: Many connection\r\nattempts fail and infected machines can not receive commands anymore.”\r\nIt will be interesting to see whether this action has a lasting effect on the Pushdo/Cutwail botnet, which has\r\nrebounded from similar infrastructure attacks in the past. In January 2010, researchers at Neustar and several ISPs\r\ntargeted the control servers for the Lethic botnet, another botnet that at the time was estimated to be responsible\r\nfor relaying roughly one in ten spam e-mails. But just a month after that takedown, spam volumes from Lethic\r\nbegan recovering.\r\nIn May 2009, the Federal Trade Commission ordered the unplugging of a hosting provider in Northern California\r\ncalled 3FN, which was at the time hosting a large number of Cutwail control servers. The 3FN takedown — a type\r\nof botnet assault that I like to call a “shun” — relies on ostracizing or immobilizing ISPs and hosting providers\r\nthat repeatedly turn a blind eye to serious abuse on their networks.\r\nhttps://krebsonsecurity.com/2010/08/researchers-kneecap-pushdo-spam-botnet/\r\nPage 1 of 2\n\nThis latest action by Lastline falls into the other major takedown category, a group of tactics best described as\r\n“stuns,” wherein researchers target a botnet’s control infrastructure in a coordinated takedown. I discuss both of\r\nthese tactics in the latest McAfee Security Journal, available at this link.\r\nSource: https://krebsonsecurity.com/2010/08/researchers-kneecap-pushdo-spam-botnet/\r\nhttps://krebsonsecurity.com/2010/08/researchers-kneecap-pushdo-spam-botnet/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://krebsonsecurity.com/2010/08/researchers-kneecap-pushdo-spam-botnet/" ], "report_names": [ "researchers-kneecap-pushdo-spam-botnet" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434000, "ts_updated_at": 1775791431, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/63b87d86ee2ab3b8190b652be318527e6a46292d.pdf", "text": "https://archive.orkl.eu/63b87d86ee2ab3b8190b652be318527e6a46292d.txt", "img": "https://archive.orkl.eu/63b87d86ee2ab3b8190b652be318527e6a46292d.jpg" } }