Pushdo, a multipurpose Trojan, is primarily known for delivering financial malware such as ZeuS and SpyEye onto infected computers or to deliver spam campaigns through a commonly associated components called Cutwail that are frequently installed on compromised PCs. Pushdo was first seen over 7 years ago and was a very prolific virus in 2007.
Now, a new variant of the malware is being updated to leverage a new domain-generation algorithm (DGA) as a fallback mechanism to its normal command-and-control (C&C) communication methods.
DGAs are used to dynamically generating a list of domain names based on an algorithm and only making one live at a time, blocking on 'seen' Command & Control domain names becomes nearly impossible.
With the help of a DGA, cyber criminals could have a series of advantages like overcoming domain blacklisting, resisting domain takedowns by simply registering another domain generated by the same DGA, avoiding dynamic analysis and extraction of C&C domain names.
With the help of a DGA, cyber criminals could have a series of advantages like overcoming domain blacklisting, resisting domain takedowns by simply registering another domain generated by the same DGA, avoiding dynamic analysis and extraction of C&C domain names.
According to researchers at Bitdefender, about 6,000 compromised systems in the 1.5 million-strong botnet now host this new PushDo variant. The most affected countries so far by the new Pushdo variant are in India, Vietnam and Turkey, but systems in the United Kingdom, France and the United States have also been targeted, according to the security software firm Bitdefender.
MOST AFFECTED COUNTRIES
MOST AFFECTED COUNTRIES
- Vietnam - 1319
- India - 1297
- Indonesia - 610
- United States - 559
- Turkey - 507
- Iran, Islamic Republic of - 402
- Thailand - 345
- Argentina - 315
- Italy - 302
- Mexico - 274
"We managed to successfully intercept Pushdo traffic and gain some idea of the size of this botnet," states Catalin Cosoi, chief security strategist at Bitdefender.
"The sheer scale of this criminal operation, unsophisticated as it may be, is rather troubling and there are indications that the botnet is still in a growth phase. We shall be continuing our investigation as a key priority and further updates shall be made available in the coming days."
Despite four takedowns in past years of PushDo command-and-control (C&C) servers, the botnet endures, evolving and flourishing by continuously adding evasion techniques to mask its C&C communications.
Apart from DGA, attackers have also resurfaced the public and private encryption keys used to protect the communication between the bots and the Command and Control Servers, but the protocol used for the communication remained the same.
They have also added an "encrypted overlay" to the latest Pushdo binaries, which acts as a "checkup," making sure the malware sample doesn't run properly unless certain conditions specified in the overlay are not met, said the blog post.
This new approach of cyber criminals would make life harder for the FBI and law enforcement agencies who are trying every effort to take down Botnets across the world.
