Criminals behind the Pushdo botnet had used a domain generation algorithm in a bid to fool white hat researchers affiliated with the site PracticalMalwareAnalysis.com.
The domain generation algorithm produced fake domains that appeared to be part of the bot's infrastcuture. In doing so, it would try to send researchers on a goose chase in pursit of the fake domains.
Meanwhile, Pushdo would pilfer data from victims by downloading the Zeus and SpyeEye trojans.
The malware only began producing the fake domains if during a search of a victim's machine it found the FakeNet tool created by the authors of PracticalMalwareAnalysis.
Once thedummy network tool was found, it began spamming the research site.
If the tool was not detected, Pushdo would attempt to conceal itself within the victim's stream of traffic, Blue Coat Systems researchers Chris Larsen and Jeff Doty said in a blog.
Doty said the attacks likely occurred on 26 August when a spike of infections was detected and has continued.
“After it compromises your machine, it starts to send out spam to all sorts of people,” Doty wrote of Pushdo. “That spam contains an attachment that is a Zeus payload."