Pushdo Botnet using Domain Generation Algorithm to evade detection

By Thursday, May 16, 2013 0 , , Permalink 0

First sighted in 2007 and known to distribute other Trojans like Zeus and SpyEye the Pushdo Trojan has fought back despite four takedown efforts in the last five years. Back in March researchers over at Damballa identified new malicious traffic patterns which were traced back to the original Pushdo. The new variant is quite intelligent as it employs new functions like Domain Generation Algorithms (GGAs).

Security researchers noted in a blog post, “The latest variant of PushDo adds another dimension by using domain fluxing with Domain Generation Algorithms (DGAs) as a fallback mechanism to its normal command-and-control (C&C) communication methods.”

According to the researchers this particular mechanism hasn’t been seen before and controllers of the malware have been able to successfully evade complete takedown as non-existent domains names are generated automatically – at the rate of 1000 per day – which the controllers can pre-register one at a time thereby allowing the bots to call home even if the C&C has been shut.

“By dynamically generating a list of domain names based on an algorithm and only making one live at a time, blocking on “seen” C&C domain names becomes nearly impossible” note researchers in the blog.

The researchers tracked a total of 42 domain names and over a period of two months they observed a total of “1,038,915 unique IPs posting C&C binary data” to their sinkhole.