A case study conducted by Dell SecureWorks, the Georgia Institute of Technology and Damballa Labs shows that one of the oldest and largest spam botnets has received a new communications mechanism, which makes it more resistant to take downs.
The security experts participating in the study have discovered that the Pushdo malware’s command-and-control mechanism now has a new domain name generation algorithm. The Pushdo botnet is also aware of the IP address and the location of the victim, allowing botmasters to target specific areas or countries.
The malware is known to track anti-virus programs and firewall processes on the system and report them back to the command-and-control mechanism. Pushdo malware is behind the Cutwail botnet, which has been known to security experts since the middle of the 2000s, and has been infecting consumer PCs and corporate networks triggering mass spam campaigns that fill e-mail inboxes with spam messages.
The lion’s share of the latest infections have been detected in India, Mexico, Iran and the United States. Experts found that several US military networks and government contractors were infected with malware using the new domain generation algorithm.
Hackers use Pushdo to install the Cutwail malware, which gathers information about the geographical location of its victims. The latest version has a fall-back command-and-control mechanism based on a domain name generation algorithm, Damballa’s lead researcher said. He added that if the malware is unable to resolve any of the domains successfully, it will begin using the domain name generation algorithm in attempt to connect to the active domain.
Security experts studied the algorithm over a two-month period starting in March and found out that it generates 1,380 unique domains daily, acting like other backup command-and-control mechanisms used by other hacker organizations.