Discovered in 2007, Cutwail malware targets Windows OS and is distributed via the Pushdo Trojan, which spreads through malicious emails. Cutwail’s primary function is to turn infected systems into a spambot. In 2009, it was determined that the Cutwail botnet was the largest botnet based on the number of infected systems. Security company, MessageLabs, estimated that the botnet comprised 1.5 to 2 million infected computer systems and was capable of sending 74 billion spam emails per day, representing 46.5 percent of global spam distribution. The botnet creators worked hard to prevent the Cutwail botnet from attracting the attention of antivirus software and of security researchers by frequently changing the code and writing only a minimal amount of data to disk –  instead residing primarily in memory.

In early 2010, the botnet was altered and used to launch a DDoS campaign against 300 major websites, including those belonging to US government agencies such as the CIA and FBI. Later that year, researchers from two universities attempted to dismantle the botnet and succeeded in removing 20 of the botnet’s 30 C2 servers. The Russian online forum that advertised rental of the Cutwail botnet was also removed in 2010. However, in 2013, the Cutwail botnet was seen delivering the Cridex worm to infected systems and then, in 2014, Trend Micro reported that the Cutwail spambot was seen spreading UPATRE malware which delivers malware related to the Dyre banking Trojan. Members within the cybersecurity industry have tried, and continue to try, to disrupt and terminate this botnet. However, each time, the results have been temporary and the botnet has demonstrated its resiliency as it changes its operation and tactics.

Windows OS users can avoid becoming infected with Cutwail and Pushdo by applying patches and updates to their operating systems and software, running updated antivirus software, installing an ad-blocking extension on their web browsers, and avoiding opening spam emails and suspicious, unexpected email attachments.

Reporting and Technical Details

  • December 2007: Pushdo - Analysis of a Modern Malware Distribution System (SecureWorks)
  • January 2012: Pharma Wars: ‘Google,’ the Cutwail Botmaster (KrebsOnSecurity)
  • August 2013: Threat Encyclopedia – CUTWAIL (Trend Micro)
  • October 2014: CUTWAIL Spambot Leads to UPATRE-DYRE Infection (Trend Micro)
  • April 2015: Pushdo Spamming Botnet Gains Strength Again (PCWorld)
  • April 2015: Pushdo It To Me One More Time - Threat Advisory #1016 (Fidelis Cybersecurity)

Screenshots of spammed messages related to CUTWAIL/PUSHDO. Image Source: Trend Micro