Pushdo botnet gets DGA update, over 6,000 machines host new variant

Share this article:
The first half of 2013 saw a 355 percent uptick in social spam. Facebook is a big target.
In less than a day, over 6,000 infected machines were updated with the new Pushdo variant.

The Pushdo botnet, known for delivering a bevy of malware through its spamming module Cutwail, is being updated to leverage a new domain-generation algorithm (DGA).

According to researchers at Bitdefender Labs, over 6,000 infected machines in the 1.5 million-strong botnet now host the new malware variant. On Monday, the Bitdefender team discovered the modified version of Pushdo, and by Tuesday, thousands of unique IP addresses worldwide were attempting to contact the malware's control hub – a count that only includes the most affected countries.

In a Wednesday blog post, Bitdefender detailed the developments. Among the top 10 countries impacted by the new variant were Vietnam, India, Indonesia and the United States (where nearly 600 infections were detected).

In May 2013, researchers at Damballa Labs, Dell SecureWorks and Georgia Tech also revealed that the Pushdo botnet had been revived using a domain-generation algorithm tactic. DGA, which allows infected machines to generate a list of domain names and conceal the actual location of the command-and-control infrastructure, helped the botnet revive itself for the fifth time in a five-year period, the organizations noted.

First appearing in 2007, the Pushdo trojan has been used to deliver financial malware, like Zeus and SpyEye, via spam.

In a Wednesday interview with SCMagazine.com, Bogdan Botezatu, senior e-threat analyst at Bitdefender Labs, said that cyber criminals appeared to be focused on updating the botnet, for now, and hadn't yet spread any new malware via Pushdo's spamming module (Cutwail).

“At the moment, the Pushdo botnet is busy updating itself,” Botezatu said. “[Computers hosting the new variant] aren't pushing anything yet; they are trying to bring all the clients to the updated version. The estimation of Pushdo [infections] came in at 1.5 million computers infected worldwide – we expect them all to be updated to the latest version.”

In a Tuesday blog post, Bitdefender said that the updated DGA made use of new domain names to obfuscate miscreants' activities, though “the main structure of the algorithm was preserved.”

In addition, attackers changed the public and private encryption keys used to protect botnet communications and also added an “encrypted overlay” which acts as a “checkup,” making sure the malware doesn't run properly unless certain conditions are met, the blog post said.

Bitdefender created a threat map which shows computers hosting the new malware variant by country.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Beazley: employee errors root of most data breaches, but malware incidents cost ...

Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014.

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple issues seven updates, fixes more than 40 ...

In one of its infrequent "Update Surprisedays," Apple plugged holes, boosted security and added features.

Canadian telecom co. Telus unveils first transparency report

The company received more than 100,000 government requests for customer data last year.