Botnet Comes Back with DGA Gusto

Thursday, May 16, 2013 @ 07:05 PM gHale

The PushDo malware and Cutwail spam botnet keep getting knocked offline, but it just keeps coming back for more.

A new version of the malware is out and it has adopted a domain generation algorithm (DGA) in order to not only help it avoid detection by security researchers, but to add resiliency, said researchers at Damballa.

Botnets Attack Israeli Websites
BackDoor Botnet Taken Over
Zeus Reigns as Supreme Botnet
Grum Botnet Coming Back Slowly

Throughout its tenure, Cutwail has been a large spam botnets, taking over millions of computers that have sent billions of spam messages. The malware ends up installed on compromised machines by the PushDo dropper Trojan.

This version of PushDo infected anywhere from 175,000 to 500,000 bots, researchers said. Past versions have been able to collect system data in order to determine which antivirus software and firewall processes were running on a compromised machine. The latest iteration, in addition to its DGA capabilities, can also query legitimate websites such as universities and ISPs in order to blend in with regular web traffic and trick a sandbox.

The added domain generation algorithm capabilities enable PushDo, which can also drop any other malware, to further conceal itself. The malware has two hard-coded command and control domains, but if it cannot connect to any of those, it will rely on DGA to connect instead.

“On the technical side of writing (DGA) code, there are enough examples out there that the average hacker could do that part,” said Brett Stone-Gross, counter threat unit senior security researcher, Dell Secureworks. “The more difficult is having the infrastructure set up and the organization to know you need new domains set up and registered. This takes more organization than hackers in past have demonstrated and shows how sophisticated some botnet operations are getting with business plans and have the commitment to follow a plan.”

Researchers at Dell SecureWorks, Georgia Tech and Damballa were able to sinkhole some of the command and control domains generated by the DGA and recorded more than 1.1 million unique IP addresses trying to connect to the sinkhole – an average of 35,000 to 45,000 daily requests ended up made.

DGA is one of the latest countermeasures, researchers said. These algorithms will periodically generate and then test new domain names and determine whether a C&C responds. This technique hinders static reputation servers that maintain lists of C&C domains and enables hackers to bypass signature-based and sandbox protections. It also cuts down the need for a large command and control infrastructure, lessening the chances of exposure to researchers and the authorities. This version of PushDo generates between nine- and 12-character dot-com domains, researchers said.

PushDo joins Zeus and the TDL/TDSS malware families in using DGA. Damballa learned from passive DNS analysis it conducted that PushDo was generating more than 1,300 unique domain names every day, most of these lasting just a day, cutting into the effectiveness of blacklisting operations.

“This one is very similar to Zeus as far as effectiveness,” said Jeremy Demar, Senior Threat Analyst, Damballa. “Zeus’ primary communications method was peer-to-peer. If it’s in a corporate environment that blocks peer-to-peer, it falls back to DGA. This is very similar in capabilities and effectiveness.”

Among the 1.1 million IPs connecting to the PushDo DGA domains were a number of government organizations, government contractors and military networks.

Leave a Reply

You must be logged in to post a comment.