Pushdo botnet continues to infect a large number of users worldwide, mainly in India, Indonesia, Turkey and Vietnam.
Security experts at the Fidelis Cybersecurity firm have discovered a new variant of the Pushdo spamming botnet, which infected machines in more than 50 countries worldwide. The botnet is able to send out around 7.7 billion spam messages per day.
“Pushdo was very successful in what it did, so coming up with various revisions or versions of it makes a lot of sense for the bad guys,” said Mike Buratowski, vice president of Fidelis Cybersecurity.
Pushdo is among the most long-lived botnet and it has been around since 2007 despite law enforcement have conducted at least four operations to shut it down.
The principal vectors of infection for the Pushdo botnet are spam messages and drive-by download attacks, in some cases the experts noticed that it has been dropped by other malware.
The point of strength of the Pushdo botnet is the frequently changing command-and-control servers that make it resilient to law-enforcement take over. The Pushdo bot tries to contact a sequence of different C&C servers, if a first server doesn’t respond the malware passes to the second one, and so on.
“Pushdo has evolved it’s Command-and-Control techniques beyond what has previously been published in the research community. The DGA component of this infrastructure uses an elaborate algorithm and has moved entirely to domains registered in Kazhakstan (.kz).” reads the advisory published by Fidelis Cybersecurity.
The greatest number of infections is located in India, Indonesia, Turkey and Vietnam, the latest version of the Pushdo botnet is used by cyber criminals to spread several strain of malware, including the Fareit data stealer, Cutwail spam malware and online banking menaces such as Dyre and Zeus.
The experts used sinkholing to track the machines composing the botnet, researchers at Fidelis discovered the complex DGA algorithm implemented by the Pushdo botnet to generate the C&C domains. The algorithm is used to generate 30 different domains names a day used to control the botnet, the experts was able to predict these name, to register them and study the botnet by sinkholing it.
The majority of domains used by the Pushdo botnet belong to Kazakhstan (.kz).
In order to mitigate the infection, Fidelis provided a set of Yara rules that could be used by network administrators to block bot agents from contacting C&C servers.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.