For every punch a hacker throws, there is a counter from a security company, and then, inevitably, the hacker adjusts again.

That’s what’s happening right now with the PushDo malware.

This week, Dell SecureWorks, Damballa Lab and Georgia Tech University combined on a research report exposing the fact that PushDo, a Trojan dropper largely responsible for Cutwail, one of the largest spam-producing botnets on record, was back. PushDo had returned en force with a domain generation algorithm that is capable of spinning up 1,380 .com domains every day in the event its two built-in command and control servers are offline.

The publication of the report clearly put the hacker group to work. Researchers at Seculert of Israel reported last night that a DGA found in two new variants of the malware generates .kz domains instead of .com, making the malware again difficult to detect and resilient against antimalware signatures.

“[DGA] is very effective against traditional and on-premises security solutions which are signature based,” Seculert CTO Aviv Raff told Threatpost. “There are already several malware families which have implemented this feature, and I expect to see more in the future.”

Raff said Seculert found the .kz domains on a number of hijacked websites serving the malware. The researchers took advantage of a misconfiguration on the attackers’ part to see a list of files on the folder of the PushDo variants. Two new executables, the new variants, were uploaded in the early afternoon on Wednesday to a server in Europe.

Dell SecureWorks and Damballa experts confirmed on Wednesday that the attackers were likely from Eastern Europe. While the new DGA domains are from Kazakhstan, that doesn’t necessarily mean the attacks originate from the former Russian state.

“Anyone can buy a .kz domain,” Raff said. “The interesting part though, is buying a .kz domain requires for the DNS server and the hosting to be at Kazakhstan.”

PushDo and Cutwail have been taken down numerous times by authorities. Each time it returns with new features making it more durable. The latest version, which researchers found in March, has infected anywhere between 175,000 and 500,000 machines, experts at Damballa and SecureWorks said. The malware is capable of detecting what security software is running on a compromised machine and is able of querying legitimate websites in addition to its C&C servers in order to blend in with regular Web traffic.

Researchers were able to sinkhole some of the command and control .com domains generated by the DGA and recorded more than 1.1 million unique IP addresses trying to connect to the sinkhole–an average of 35,000 to 45,000 daily requests were made.

DGA periodically generates and then tests new domain names and determines whether a C&C responds. This technique hinders static reputation servers that maintain lists of C&C domains and enables hackers to bypass signature-based and sandbox protections. It also cuts down the need for a large command and control infrastructure, lessening the chances it is exposed to researchers and the authorities. This version of PushDo was generating between nine- and 12-character dot-com domains.

Categories: Malware