“We managed to successfully intercept Pushdo traffic and gain some idea of the size of this botnet,” “The sheer scale of this criminal operation, unsophisticated as it may be, is rather troubling and there are indications that the botnet is still in a growth phase. We shall be continuing our investigation as a key priority and further updates shall be made available in the coming days.” states Catalin Cosoi, chief security strategist at Bitdefender.
Pushdo is considered one of the oldest active malware families, it was also popular in the cybercrime ecosystem for delivering of spam campaigns through the Cutwail botnet, one of the largest malicious architecture in terms of the amount of infected hosts (in 2009 the botnet was composed of 1.5 – 2 million computers with a capability of sending 74 billion spam messages a day). Despite Pushdo is well known, it is far from being eradicated, the malware in fact has recently infected more than 11,000 computers in just 24 hours. The Romanian firm reckons 77 machines have been infected in the UK via the botnet in the past 24 hours, it has been estimated that more than 11,000 machines were compromised worldwide in the same period.
“After sinkholing one of them, we managed to receive 8840 requests from 2336 unique IP addresses in less than 3 hour” reports Bitdefender.s.”
What’s new in the new variant?
“Instead of relying upon a static list of preconfigured domain names that corresponded to the location of the bad guys C&C servers, it used an algorithm to calculate candidate domain names – and then tried reaching out to a handful of the candidates in a vein attempt to locate an active C&C server.” explained Gunter Ollmann, VP Research at Dumballa.
DGAs is the algorithm used to generate a list of domain names and only making one live at a time, implementing the technique cyber criminals can overcome domain blacklisting and avoiding dynamic analysis and extraction of C&C domain names. The DGA implementation isn’t the unique improvement for the Pushdo botnet, the author of malware have also resurfaced the couple of encryption keys used to protect malicious traffic to/from C&C servers and they added an “encrypted overlay” to the Pushdo binaries to allow the malware execution only under specific conditions specified in the overlay.
“The public and private keys used to protect the communication between the bots and the Command and Control Servers have been changed, but the communication protocol remained the same,” “To harden the analysis, the symmetric key used to protect the communication between the C&C and its bots is encrypted with RSA. The PushDO bot contains its private key and the server’s public key hardcoded into its binaries. The public key is used to encrypt the data sent to the server, and the private key is used to decrypt the response received from the server.” states Bitdefender in a blog post.
This last wave of attack demonstrates the intense activity of cybercrime that is able to resume and improve also older cyber threats like Pushdo trojan, making life harder for law enforcement agencies.
Security Affairs – (cybercrime, Pushdo)