A new PushDo botnet variant infected 11,000 machine in 24 hours

Pierluigi Paganini July 19, 2014

Security Experts at Bitdefender report that a new PushDo variant emerged from the underground compromising 11,000 machine in 24 hours.

Security experts at BitDefender have recently detected a surge in the number of Pushdo trojan infections analyzing data from e sinkholing of C&C domains used by the malware. The experts discovered that the new Pushdo campaign is linked to a significant botnet globally distributed, with the majority of victims located in AsiaPushdo is a multi-purpose malware Trojan that has for many years on the world stage, it was detected for the first time in 2007 and it is primarily known for delivering several financial malware like  as ZeuS and SpyEye
“We managed to successfully intercept Pushdo traffic and gain some idea of the size of this botnet,” “The sheer scale of this criminal operation, unsophisticated as it may be, is rather troubling and there are indications that the botnet is still in a growth phase. We shall be continuing our investigation as a key priority and further updates shall be made available in the coming days.” states Catalin Cosoi, chief security strategist at Bitdefender.

Pushdo is considered one of the oldest active malware families, it was also popular in the cybercrime ecosystem for delivering of spam campaigns through the Cutwail botnet,  one of the largest malicious architecture in terms of the amount of infected hosts (in 2009 the botnet was composed of 1.5 – 2 million computers with a capability of sending 74 billion spam messages a day).  Despite Pushdo is well known, it is far from being eradicated, the malware in fact has recently infected more than 11,000 computers in just 24 hours. The Romanian firm reckons 77 machines have been infected in the UK via the botnet in the past 24 hours, it has been estimated that  more than 11,000 machines were compromised worldwide in the same period.

“After sinkholing one of them, we managed to receive 8840 requests from 2336 unique IP addresses in less than 3 hour” reports Bitdefender.s.”

What’s new in the new variant?

The new Pushdo variant implements a new domain-generation algorithm (DGA) as a fallback mechanism to its normal command-and-control (C&C) communication methods.

“Instead of relying upon a static list of preconfigured domain names that corresponded to the location of the bad guys C&C servers, it used an algorithm to calculate candidate domain names – and then tried reaching out to a handful of the candidates in a vein attempt to locate an active C&C server.” explained Gunter Ollmann, VP Research at Dumballa.

DGAs is the algorithm used to generate a list of domain names and only making one live at a time, implementing the technique cyber criminals can overcome domain blacklisting and avoiding dynamic analysis and extraction of C&C domain names. The DGA implementation isn’t the unique improvement for the Pushdo botnet, the author of malware have also resurfaced the couple of encryption keys used to protect malicious traffic to/from C&C servers and they added an “encrypted overlay” to the Pushdo binaries to allow the malware execution only under specific conditions specified in the overlay.

“The public and private keys used to protect the communication between the bots and the Command and Control Servers have been changed, but the communication protocol remained the same,” “To harden the analysis, the symmetric key used to protect the communication between the C&C and its bots is encrypted with RSA. The PushDO bot contains its private key and the server’s public key hardcoded into its binaries. The public key is used to encrypt the data sent to the server, and the private key is used to decrypt the response received from the server.” states Bitdefender in a blog post.

As visible in the following map Vietnam, India and Indonesia are most targeted countries, many infections have been observed also in the US, Turkey and Iran.
new pushdo campaing
  • Vietnam – 1319
  • India – 1297
  • Indonesia – 610
  • United States – 559
  • Turkey – 507
  • Iran, Islamic Republic of – 402
  • Thailand – 345
  • Argentina – 315
  • Italy – 302
  • Mexico – 274

This last wave of attack demonstrates the intense activity of cybercrime that is  able to resume and improve also older cyber threats like Pushdo trojan, making life harder for law enforcement agencies.

Pierluigi Paganini

Security Affairs –  (cybercrime, Pushdo)

you might also like

leave a comment