Four times since 2008, authorities and technology companies have taken the prolific PushDo malware and Cutwail spam botnet offline. Yet much like the Energizer Bunny, it keeps coming back for more.
In early March, researchers at Damballa discovered a new version of the malware that had adopted a domain generation algorithm (DGA) in order to not only help it avoid detection by security researchers, but to add resiliency.
Cutwail has historically been one of the largest spam botnets, hoarding millions of compromised computers that have sent billions of spam messages through the years. The malware is installed on compromised machines by the PushDo dropper Trojan.
This version of PushDo has infected anywhere from 175,000 to 500,000 bots, researchers said. Past versions have been able to collect system data in order to determine which antivirus software and firewall processes were running on a compromised machine. The latest iteration, in addition to its DGA capabilities, can also query legitimate websites such as universities and ISPs in order to blend in with regular web traffic and trick sandbox-type analyses.
The added domain generation algorithm capabilities enable PushDo, which can also be used to drop any other malware, to further conceal itself. The malware has two hard-coded command and control domains, but if it cannot connect to any of those, it will rely on DGA to connect instead. This capability was only recently discovered.
“On the technical side of writing (DGA) code, there are enough examples out there that the average hacker could do that part,” said Brett Stone-Gross, Counter Threat Unit Senior Security Researcher, Dell SecureWorks. “The more difficult thing is having the infrastructure set up and the organization to know you need new domains set up and registered. This takes more organization than hackers in the past have demonstrated and shows how sophisticated some botnet operators are getting with business plans and having the commitment to follow a plan.”
Researchers at Dell SecureWorks, Georgia Tech and Damballa were able to sinkhole some of the command and control domains generated by the DGA and recorded more than 1.1 million unique IP addresses trying to connect to the sinkhole–an average of 35,000 to 45,000 daily requests were made.
While most traditional malware carry built-in C&C domain names, this tactic becomes moot if researchers get their hands on the binary and block or sinkhole it. As a counter-tactic, malware writers began dynamically sending regularly updated configuration lists with new C&C server information, yet this was vulnerable to interception as well.
DGA is the latest countermeasure. These algorithms will periodically generate and then test new domain names and determine whether a C&C responds. This technique hinders static reputation servers that maintain lists of C&C domains and enables hackers to bypass signature-based and sandbox protections. It also cuts down the need for a large command and control infrastructure, lessening the chances it is exposed to researchers and the authorities. This version of PushDo generates between nine- and 12-character dot-com domains.
PushDo joins Zeus and the TDL/TDSS malware families in using DGA. Damballa learned from passive DNS analysis it conducted that PushDo was generating more than 1,300 unique domain names every day, most of these lasting just a day, cutting into the effectiveness of blacklisting operations.
“This one is very similar to Zeus as far as effectiveness,” said Jeremy Demar, Senior Threat Analyst, Damballa. “Zeus’ primary communications method was peer-to-peer. If it’s in a corporate environment that blocks peer-to-peer, it falls back to DGA. This is very similar in capabilities and effectiveness.”
Among the 1.1 million IPs connecting to the PushDo DGA domains were a number of government organizations, government contractors and military networks.
“It’s a relatively small population on the interesting list as far as numbers go, but because of the level of sensitivity of those organizations, we made sure to let everyone know,” Stone-Gross said, adding that a takedown similar to some of the previous efforts requires a lot of legal and technical cooperation. Both companies hope that awareness of this issue will lead to updates of endpoint protection technologies.