Malware

Operators again revive Pushdo botnet, use a popular tactic to stay hidden

Despite efforts to cripple it, the Pushdo botnet has again been resurrected, this time using a domain-generation algorithm (DGA) that increasingly is being leveraged by attackers to hide their command-and-control operations.

Since first appearing in 2007, the Pushdo trojan has been used to deliver financial malware, like Zeus and SpyEye, thanks to a spamming module known as Cutwail.

Now, researchers at Damballa Labs, Dell SecureWorks and Georgia Tech have discovered Pushdo's latest feature, which helped the botnet revive itself for the fifth time in five years.

A detailed report (PDF) and blog post published on Damballa's site on Wednesday explained how attackers now are using a DGA that allows infected machines to generate a list of domain names, in this case about 1,380 unique domain names daily, to conceal the actual location of the command-and-control infrastructure.

The secret algorithm is embedded in Pushdo, enabling bots to determine instructions at whichever domain name operators have actually registered.

In a Friday interview with SCMagazine.com, Brett Stone-Gross, a senior security researcher at Dell SecureWorks Counter Threat Unit, said Pushdo attackers use the malware's new DGA feature as a “back-up mechanism” to locate its control hub if its primary server is blocked or suspended.

Over the last 18 months, three major malware families – TDL-4, Zeus and now Pushdo – have used DGA tricks to conceal the activities of their botnets, which are networks of infected computers at their disposal.

“We see this particular Pushdo botnet pretty much always drops the Cutwail spam [trojan], so it's likely the same people [behind it],” Stone-Gross said “They are not only trying to hide their own [Pushdo] traffic, but Cutwail traffic [as well]," he said.

Just hours after the Pushdo report was released, the masterminds began updating the botnet again to keep its infrastructure hidden, said Aviv Raff, CTO of Israel-based security firm Seculert.

In a Friday blog post, Raff wrote that the domain-generation algorithm began generating .kz domains (those registered in Kazakhstan), in place of .com domains.

“They changed their algorithm because they figured out they were being probed by security vendors,” Raff told SCMagazine.com on Friday. 

Pushdo attackers are believed to be based in Eastern Europe. More than 200 government organizations, contractors and military groups in the United States, India, Iran, Mexico, Thailand and Indonesia have fallen victim to the widespread campaign, which is responsible for anywhere from 175,000 to 500,000 compromised computers, researchers found.

According to Stone-Gross, attackers aren't necessarily staging a more advanced or espionage attack because of their high-level targets. In this case, the saboteurs likely obtained victims' email addresses to spread spam that delivers Pushdo. The trojan is also delivered via drive-by download in which users are infected simply by visiting a malicious web page.

“It's purely collateral damage,” Stone-Gross said of targeted organizations. “They got a hold of their work or personal email addresses. There's absolutely no indication that this was related to any targeted attack."

Raff said the research community has the best chance of shuttering underground malware campaigns when it fights fire with fire and monitors the emissary.

“If you try to [immediately] shut down a botnet, it will pop up in a different place,” Raff said. History has shown that the focus should be to “detect and understand who is behind them."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.