Incident Response, Malware, TDR

Pushdo botnet gets DGA update, over 6,000 machines host new variant

The Pushdo botnet, known for delivering a bevy of malware through its spamming module Cutwail, is being updated to leverage a new domain-generation algorithm (DGA).

According to researchers at Bitdefender Labs, over 6,000 infected machines in the 1.5 million-strong botnet now host the new malware variant. On Monday, the Bitdefender team discovered the modified version of Pushdo, and by Tuesday, thousands of unique IP addresses worldwide were attempting to contact the malware's control hub – a count that only includes the most affected countries.

In a Wednesday blog post, Bitdefender detailed the developments. Among the top 10 countries impacted by the new variant were Vietnam, India, Indonesia and the United States (where nearly 600 infections were detected).

In May 2013, researchers at Damballa Labs, Dell SecureWorks and Georgia Tech also revealed that the Pushdo botnet had been revived using a domain-generation algorithm tactic. DGA, which allows infected machines to generate a list of domain names and conceal the actual location of the command-and-control infrastructure, helped the botnet revive itself for the fifth time in a five-year period, the organizations noted.

First appearing in 2007, the Pushdo trojan has been used to deliver financial malware, like Zeus and SpyEye, via spam.

In a Wednesday interview with, Bogdan Botezatu, senior e-threat analyst at Bitdefender Labs, said that cyber criminals appeared to be focused on updating the botnet, for now, and hadn't yet spread any new malware via Pushdo's spamming module (Cutwail).

“At the moment, the Pushdo botnet is busy updating itself,” Botezatu said. “[Computers hosting the new variant] aren't pushing anything yet; they are trying to bring all the clients to the updated version. The estimation of Pushdo [infections] came in at 1.5 million computers infected worldwide – we expect them all to be updated to the latest version.”

In a Tuesday blog post, Bitdefender said that the updated DGA made use of new domain names to obfuscate miscreants' activities, though “the main structure of the algorithm was preserved.”

In addition, attackers changed the public and private encryption keys used to protect botnet communications and also added an “encrypted overlay” which acts as a “checkup,” making sure the malware doesn't run properly unless certain conditions are met, the blog post said.

Bitdefender created a threat map which shows computers hosting the new malware variant by country.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.