Pushdo is a dropper. Its primary functions are to drop other malware (such as Zeus or SpyEye) onto infected computers, or to deliver spam campaigns through a Cutwail module. In both cases, ‘success’ can only be achieved via active communication with its command-and-control (C&C) servers. Such communication is a botnet’s weakest link. It can be detected. The C&C servers can be located and either blocked locally by security software, or taken down internationally by security firms and law enforcement agencies. If the C&C servers can be taken out, the botnet is neutralized.
But now Damballa, Dell SecureWorks and Georgia Tech have discovered a new Pushdo variant that employs the latest evasion technique to protect its C&C servers. It uses domain fluxing via a technique known as a dynamic generation algorithm (DGA) to massively stack the odds against discovery. “It becomes a signal versus noise issue,” Adrian Culley, technical consultant at Damballa, told Infosecurity. Although not unique (Zeus peer-to-peer uses a similar approach) this is only the third botnet that Damballa has found using the DGA technique; but Culley expects it to become increasingly popular.
“By dynamically generating a list of domain names based on an algorithm and only making one live at a time, blocking on ‘seen’ C&C domain names becomes nearly impossible,” Damballa’s Jeremy Demar explains in a blog post about the new Pushdo variant.
The concept is relatively simple. The Pushdo bot owner has pre-registered thousands of domains – but only one is ‘live’ at anytime. The bot malware contains an algorithm that randomly generates one of these domains and attempts to communicate with it. If successful the bot downloads its latest instructions. If unsuccessful (because the URL is blocked by software or simply isn’t live at the time), the bot moves on to the next dynamically generated URL and tries again.
The Pushdo algorithm generates 1380 domains per day. Only one of these will be live, and the odds on repeated communication that can be detected by rule-based detection methods is minimal. “Picking up on this level of communication is searching for the proverbial correct digital needle in an electronic haystack itself made of digital needles,” explained Culley. Discovery of such malware becomes counter-intuitive – it relies on detecting failures rather than successes. “A key detection attribute for advanced malware that employs DGAs to find live C&C servers rests in its failure,” explained Demar; “in particular, its daily production of unsuccessful DNS resolutions for nonexistent domain names (NXDomains).”
It was finding such a cluster on March 2, 2013, that led to the discovery of the new Pushdo variant. Working with Dell SecureWorks and Georgia Tech, Damballa proceeded to analyze the new variant and sink-hole a few of the domains. The analysis led to discovery of the algorithm itself – so in theory the good guys know the location of all the possible C&C servers used by this particular variant/DGA. The sink-holing, by monitoring attempts to connect, suggests that more than 1 million computers are infected with the new variant.
“India and Iran appear to be the most infected population,” noted Demar. “In the US, an average of approximately 23,000 unique hosts (from residential and business networks) were trying to connect to the Pushdo DGA domain names,” he said, adding, “Several US government, government contractors and military networks appear to be infected.”
Damballa will make its sink-hole data available “for remediation purposes to parties able to demonstrate proof of remediation efforts.”