Cutwail botnet

The Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo. It affects computers running Microsoft Windows.

History

In June 2009 it was estimated that the Cutwail botnet was the largest botnet in terms of the amount of infected hosts. Security provider MessageLabs estimated that the total size of the botnet was around 1.5 to 2 million individual computers, capable of sending 74 billion spam messages a day, or 51 million every minute, equal to 46.5% of the worldwide spam volume.
In February 2010 the botnet's activities were slightly altered when it started a DDoS attack against 300 major sites, including the CIA, FBI, Twitter and PayPal. The reasons for this attack weren't fully understood, and some experts described it as an "accident", mainly due to the lack of damage and disruption, along with the infrequency of the attacks.
In August 2010, researchers from University of California, Santa Barbara and Ruhr University Bochum attempted to take down the botnet, and managed to take offline 20 of the 30 Command and Control servers that the botnet was using.

Structure

Cutwail is a fairly simple botnet. The bots connect directly to the command and control server, and receive instructions about the emails they should send. After they are done with their task, the bots report back to the spammer exact statistics on the number of emails that were delivered, and on which and how many errors were reported.

Operations

The Cutwail botnet is known as "0bulk Psyche Evolution" in the underground market. Spammers can rent an instance of the botnet for a fee, and use it to send their own spam campaigns. The services offered by the botnet were advertised on the Russian underground forum "spamdot.biz", that was taken down in 2010. As of June 2010, at least 8 different spam groups were using the botnet to deliver junk mail.