We identified a total of 30 servers used as part of the Pushdo/Cutwail infrastructure, located at eight different hosting providers all over the world. The information about the activity was extracted from Anubis reports, which contain details about the system and network activities, including a pcap file that contains the network traffic we observed while doing the analysis. We contacted all hosting providers and worked with them on taking down the machines, which lead to the take-down of almost 20 servers. Unfortunately, not all providers were responsive and thus several Command & Control servers are still online at this point. Nevertheless, this effort had an impact on Pushdo/Cutwail,
http://blog.tllod.com/2010/08/26/insights-into-the-pushdocutwail-infrastructure/
Certifiedbug:
Dance of the Botnets
Botnets use fallback domains
