Pushdo spamming botnet still active in the wild

Pierluigi Paganini April 22, 2015

Pushdo botnet continues to infect a large number of users worldwide, mainly in India, Indonesia, Turkey and Vietnam.

Security experts at the Fidelis Cybersecurity firm have discovered a new variant of the Pushdo spamming botnet, which infected machines in more than 50 countries worldwide. The botnet is able to send out around 7.7 billion spam messages per day.

“Pushdo was very successful in what it did, so coming up with various revisions or versions of it makes a lot of sense for the bad guys,” said Mike Buratowski, vice president of Fidelis Cybersecurity.

Pushdo is among the most long-lived botnet and it has been around since 2007 despite law enforcement have conducted at least four operations to shut it down.

The principal vectors of infection for the Pushdo botnet are spam messages and drive-by download attacks, in some cases the experts noticed that it has been dropped by other malware.

The point of strength of the Pushdo botnet is the frequently changing command-and-control servers that make it resilient to law-enforcement take over. The Pushdo bot tries to contact a sequence of different C&C servers, if a first server doesn’t respond the malware passes to the second one, and so on.

“Pushdo has evolved it’s Command-and-Control techniques beyond what has previously been published in the research community. The DGA component of this infrastructure uses an elaborate algorithm and has moved entirely to domains registered in Kazhakstan (.kz).” reads the advisory published by Fidelis Cybersecurity.

The greatest number of infections is located in India, Indonesia, Turkey and Vietnam, the latest version of the Pushdo botnet is used by cyber criminals to spread several strain of malware, including the Fareit data stealer, Cutwail spam malware and online banking menaces such as Dyre and Zeus.

pushdo botnet infections

The experts used sinkholing to track the machines composing the botnet, researchers at Fidelis discovered the complex DGA algorithm implemented by the Pushdo botnet to generate the C&C domains. The algorithm is used to generate 30 different domains names a day used to control the botnet, the experts was able to predict these name, to register them and study the botnet by sinkholing it.

The majority of domains used by the Pushdo botnet belong to Kazakhstan (.kz).

In order to mitigate the infection, Fidelis provided a set of Yara rules that could be used by network administrators to block bot agents from contacting C&C servers.

Pierluigi Paganini

(Security Affairs –  Pushdo botnet, malware)



you might also like

leave a comment