Malware Behind Oldest, Most Active Spam Botnet Gets Refresh


One of the largest and most notorious spam botnets, known for sending out millions of spam messages every day, has gotten a new communications mechanism that makes it more resilient to take downs, according to security researchers' analysis.

A team of security experts from Dell SecureWorks, Damballa Labs and the Georgia Institute of Technology have discovered a new domain name generation algorithm that is part of the Pushdo malware's back-up command-and-control mechanism. Pushdo is behind the Cutwail botnet, which has been in existence since the mid-2000s. It has been infecting systems on corporate networks and consumer PCs with malware and helping fuel massive spam campaigns that flood email inboxes with unwanted messages.

The bulk of the latest infections are in India, Iran and Mexico but other countries, including the United States, are impacted. Researchers discovered several U.S. government contractors and military networks infected with malware that uses the new domain generation algorithm. The new Pushdo Trojan is responsible for more than 1 million unique IPs and is growing by about 35,000 unique IPs every day, the researchers found.

[Related: Microsoft: Don't Be Fooled By The Cool Exploit Kit]

The report, issued by Damballa and Dell SecureWorks, found the malware associated with Pushdo can evade both intrusion detection and prevention systems as well as most antimalware technologies by mimicking legitimate connection attempts to benign websites to confuse signature-based systems.

Cybercriminals use Pushdo to install the Cutwail spam bot, which collects geolocation data on its victims, enabling botmasters to rent out the botnet for targeted spam runs. The malware associated with the botnet also tracks the security software and firewall processes on infected systems, giving attackers the ability to create new ways to evade detection.

"This latest version has a fall-back C&C mechanism that is based upon a domain name generation algorithm (DGA)," wrote Manos Antonakakis, Damballa's Chief Scientist and lead researcher on the report, issued Wednesday. "If the malware cannot successfully resolve any of the domains that are hard coded into it, it will start using the DGA in an effort to connect to the currently active DGA C&C."

Researchers at antibotnet vendor Damballa Labs performed malware analysis on the new Pushdo variant and monitored several of the domains generated by the new domain algorithm to measure the scope of the new threat.

Over a two-month period beginning in March, the research team studied the algorithm and determined it can generate 1,380 unique domains every day. The new domain algorithm acts like other back-up command-and-control techniques used by other cybercriminal organizations, including the authors of the Zeus banking malware family.

The latest domain generation algorithm technique is a backup, only used if the malware on an infected machine fails to connect with the primary command-and-control server.

"This is a very smart way to defeat generic network signature and sandboxing systems that simply block the network communication observed during the dynamic analysis of the malicious binary," the researchers said.

PUBLISHED MAY 15, 2013