Pushdo botnet gets DGA update, over 6,000 machines host new variant

Share this article:
The first half of 2013 saw a 355 percent uptick in social spam. Facebook is a big target.
In less than a day, over 6,000 infected machines were updated with the new Pushdo variant.

The Pushdo botnet, known for delivering a bevy of malware through its spamming module Cutwail, is being updated to leverage a new domain-generation algorithm (DGA).

According to researchers at Bitdefender Labs, over 6,000 infected machines in the 1.5 million-strong botnet now host the new malware variant. On Monday, the Bitdefender team discovered the modified version of Pushdo, and by Tuesday, thousands of unique IP addresses worldwide were attempting to contact the malware's control hub – a count that only includes the most affected countries.

In a Wednesday blog post, Bitdefender detailed the developments. Among the top 10 countries impacted by the new variant were Vietnam, India, Indonesia and the United States (where nearly 600 infections were detected).

In May 2013, researchers at Damballa Labs, Dell SecureWorks and Georgia Tech also revealed that the Pushdo botnet had been revived using a domain-generation algorithm tactic. DGA, which allows infected machines to generate a list of domain names and conceal the actual location of the command-and-control infrastructure, helped the botnet revive itself for the fifth time in a five-year period, the organizations noted.

First appearing in 2007, the Pushdo trojan has been used to deliver financial malware, like Zeus and SpyEye, via spam.

In a Wednesday interview with SCMagazine.com, Bogdan Botezatu, senior e-threat analyst at Bitdefender Labs, said that cyber criminals appeared to be focused on updating the botnet, for now, and hadn't yet spread any new malware via Pushdo's spamming module (Cutwail).

“At the moment, the Pushdo botnet is busy updating itself,” Botezatu said. “[Computers hosting the new variant] aren't pushing anything yet; they are trying to bring all the clients to the updated version. The estimation of Pushdo [infections] came in at 1.5 million computers infected worldwide – we expect them all to be updated to the latest version.”

In a Tuesday blog post, Bitdefender said that the updated DGA made use of new domain names to obfuscate miscreants' activities, though “the main structure of the algorithm was preserved.”

In addition, attackers changed the public and private encryption keys used to protect botnet communications and also added an “encrypted overlay” which acts as a “checkup,” making sure the malware doesn't run properly unless certain conditions are met, the blog post said.

Bitdefender created a threat map which shows computers hosting the new malware variant by country.

Share this article:

Sign up to our newsletters

More in News

Apple hit with privacy class-action over iPhone location service

Apple hit with privacy class-action over iPhone location ...

A woman claims she did not realize the company was using location services to track her and accuses the company of giving the data to third parties.

Attackers compromise Gizmodo Brazil

Trend Micro is investigating whether a vulnerability was used to compromise Gizmodo Brazil and a logistics firm hosted by the same ISP.

Paddy Power breach impacting 650K customers dates back to 2010

Nearly 650,000 Paddy Power customers who made an account prior to 2010 had data compromised in a breach.