Information security researchers from Dell SecureWorks’ Counter Threat Unit (CTU) research team, Damballa Labs and the Georgia Institute of Technology published a security report this week outlining how they had discovered a new variant of the Pushdo Malware. Pushdo is a downloader Trojan used to install additional malicious software onto a victim’s computer. Pushdo’s primary function is to download the Cutwail spam bot malware, which is the largest active spam botnet. Cutwail in turn is the primary seeder of multiple banking Trojans including the notorious Gameover ZeuS Banking Trojan.
The cyber criminals behind Pushdo have added a slew of new features to the Trojan, going to great lengths to obfuscate it and make it harder for law enforcement, security researchers and rival hackers to disrupt. They added new techniques to mask the Command and Controller (C2) traffic using a fake JPEG image file for deception, a Domain Generation Algorithm (DGA) for backup C2 and RSA encryption.
Initially, these actions might seem inconsequential. However, according to botnet expert and CTU security researcher Dr. Brett Stone-Gross, implementing these features is significant. In the 10 years Stone-Gross has been researching botnets, he has never seen cyber criminals go to such lengths to mislead researchers and maintain control of their botnet. So what does this tell us about the Pushdo operation? It tells us that possessing a large botnet, like Pushdo (Current unique Pushdo infections range from 175,000 to 500,000 on any one day), is a lucrative enterprise, and like any business, uptime is critical to success. Unfortunately, Stone-Gross and the researchers from Damballa and Georgia Tech don’t forsee the Pushdo botnet being put out of business any time soon. Thus, it is up to the security community to keep tabs on this threat and continually improve on how to detect and block it, and for end users to diligently follow proper computer safety habits, such as never clicking on email attachments and links, before verifying with the sender that the email is legitimate and making sure your operating system, software applications and plug-ins are always patched and up to date, including your anti-virus software.