Pushdo botnet gets DGA update, over 6,000 machines host new variant

Share this article:
The first half of 2013 saw a 355 percent uptick in social spam. Facebook is a big target.
In less than a day, over 6,000 infected machines were updated with the new Pushdo variant.

The Pushdo botnet, known for delivering a bevy of malware through its spamming module Cutwail, is being updated to leverage a new domain-generation algorithm (DGA).

According to researchers at Bitdefender Labs, over 6,000 infected machines in the 1.5 million-strong botnet now host the new malware variant. On Monday, the Bitdefender team discovered the modified version of Pushdo, and by Tuesday, thousands of unique IP addresses worldwide were attempting to contact the malware's control hub – a count that only includes the most affected countries.

In a Wednesday blog post, Bitdefender detailed the developments. Among the top 10 countries impacted by the new variant were Vietnam, India, Indonesia and the United States (where nearly 600 infections were detected).

In May 2013, researchers at Damballa Labs, Dell SecureWorks and Georgia Tech also revealed that the Pushdo botnet had been revived using a domain-generation algorithm tactic. DGA, which allows infected machines to generate a list of domain names and conceal the actual location of the command-and-control infrastructure, helped the botnet revive itself for the fifth time in a five-year period, the organizations noted.

First appearing in 2007, the Pushdo trojan has been used to deliver financial malware, like Zeus and SpyEye, via spam.

In a Wednesday interview with SCMagazine.com, Bogdan Botezatu, senior e-threat analyst at Bitdefender Labs, said that cyber criminals appeared to be focused on updating the botnet, for now, and hadn't yet spread any new malware via Pushdo's spamming module (Cutwail).

“At the moment, the Pushdo botnet is busy updating itself,” Botezatu said. “[Computers hosting the new variant] aren't pushing anything yet; they are trying to bring all the clients to the updated version. The estimation of Pushdo [infections] came in at 1.5 million computers infected worldwide – we expect them all to be updated to the latest version.”

In a Tuesday blog post, Bitdefender said that the updated DGA made use of new domain names to obfuscate miscreants' activities, though “the main structure of the algorithm was preserved.”

In addition, attackers changed the public and private encryption keys used to protect botnet communications and also added an “encrypted overlay” which acts as a “checkup,” making sure the malware doesn't run properly unless certain conditions are met, the blog post said.

Bitdefender created a threat map which shows computers hosting the new malware variant by country.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.