The Pushdo botnet has resurrected using a domain-generation algorithm (DGA) to hide command-and-control operations.
The trojan delivered financial malware like Zeus and SpyEye via the Cutwail spamming module.
Researchers at Damballa Labs, Dell SecureWorks and Georgia Tech University discovered Pushdo's latest feature, which helped the botnet revive itself for the fifth time in five years.
They explained in a report that attackers used DGA to generate some 1380 unique domain names daily to conceal the location of the command-and-control infrastructure. (pdf)
The algorithm was embedded in Pushdo, enabling bots to determine instructions at whichever domain name operators have actually registered.
Dell SecureWorks senior security researcher Brett Stone-Gross said Pushdo attackers used the malware's DGA feature as a “back-up mechanism” to locate its control hub if its primary server was blocked or suspended.
Over the last 18 months, three major malware families – TDL-4, Zeus and now Pushdo – have used DGA tricks to conceal the activities of their botnets.
“We see this particular Pushdo botnet pretty much always drops the Cutwail spam [trojan], so it's likely the same people [behind it],” Stone-Gross said.
“They are not only trying to hide their own [Pushdo] traffic, but Cutwail traffic [as well]," he said.
Just hours after the Pushdo report was released, the masterminds began updating the botnet again to keep its infrastructure hidden, said Aviv Raff, CTO of Israel-based security firm Seculert.
Raff said the domain-generation algorithm began generating .kz domains (those registered in Kazakhstan), in place of .com domains.
“They changed their algorithm because they figured out they were being probed by security vendors,” Raff said.
Pushdo attackers were thought to be based in Eastern Europe.
Several government organisations, contractors and military groups in the United States, India, Iran, Mexico, Thailand and Indonesia have been targeted in the latest campaign, which was responsible for anywhere from 175,000 to 500,000 compromised computers, researchers found in March.
Attackers were not necessarily staging advanced attacks because of their high-level targets, but rather likely obtained victims' email addresses to spread spam that delivers Pushdo.
The trojan was also delivered via drive-by download in which users were infected by visiting a malicious web page.
“It's purely collateral damage,” Stone-Gross said of targeted organisations. “They got a hold of their work or personal email addresses. There's absolutely no indication that this was related to any targeted attack."
Raff said the research community had the best chance of shuttering underground malware campaigns.
“If you try to [immediately] shut down a botnet, it will pop up in a different place,” Raff said. History has shown that the focus should be to “detect and understand who is behind them."