In association with heise online

20 February 2012, 13:05

Cutwail botnet back in action

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit


According to M86 Security, the infamous Cutwail botnet (aka Pandex, Mutant and Pushdo) appears to have been reactivated. The security specialists say that in the past few weeks they have registered several waves of HTML emails that were infected with malicious JavaScript and probably originated from Cutwail-infected PCs.

Cutwail had its heyday about five years ago, when it led the botnet activity list with 1.6 million infected computers. However, it lost its top position in the market after hackers intruded into the system and disclosed the names of customers and affiliates.

According to M86 Security, the volume of infected emails was 50 times higher between 23 and 25 January, and three further waves from 6 February were found to be as much as 200 times higher. Infected emails had subject lines such as "FDIC Suspended Bank Account", "End of August Statement" and "Scan from Xerox WorkCentre".

The embedded JavaScript code tries to inject malware into computers through various security holes in, for example, old versions of Acrobat Reader. In some cases, the "Cridex" data-stealing trojan has been installed. The botnet uses the "Phoenix Exploit Kit", which has been quite successful in the black market and achieves infection rates of more than fifteen per cent. In early January, details of the operators of the Cutwail botnet became public.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit