Attacks/Breaches
5/22/2013
12:20 PM
Gunter Ollmann
Gunter Ollmann
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Much Ado About PushDo

We don't need a stretcher -- we need a mop

For a botnet that has been "taken down" more times than Freddie in the "Nightmare on Elm Street" movie series, PushDo seems to be doing very well despite past efforts. As if to forestall future takedown attempts, PushDo has added a new botnet recovery technique (PDF) capable of further defeating earlier takedown strategies.

Last week we were warned by Dell SecureWorks and Damballa that the PushDo malware had borrowed a resiliency feature previously encountered in malware, such as Bobax, Sinowal, and Murofet. This domain generation algorithm (DGA) capability forms the fallback mechanism should the original, "hard coded" command-and-control (C&C) be taken down. In the PushDo case, the DGA uses a predefined algorithm to poll 1,380 unique domain names each day.

While I've covered the how and why of DGAs a few times in the past (and would direct readers to last year's blog post "Domain Generation Algorithms in Stealthy Malware" as a primer on the topic), it would seem that security teams are still struggling to grasp the significance of the technique.

At some point recently while security researchers were observing the domains being employed by the PushDo DGA, the malware authors tweaked their algorithm -- jumping from 1,380 .COM domains to .KZ domains. This minor change in algorithm settings had a noticeable and immediate impact on signature detection systems until the signatures were updated. That's the beauty of the approach. A minor tweak of the algorithm undoes much of the actionable intelligence that had previously been extracted from a captured PushDo malware sample, either through manual reverse-engineering efforts or automated dynamic analysis.

Combating a botnet's DGA capability is not an impossible or trivial task, but it does require approaches outside of traditional takedown practices -- in particular, the need to observe large amounts of data from networks already infected with the malware, and the ability to sinkhole domain names that have a high probability of being generated by the algorithm and are not yet in use by the botnet operators.

By observing DNS traffic (both successfully resolved and, more critically, unsuccessfully resolved queries), DGA detection techniques such as those disclosed last year at the 21st USENIX Security Symposium show how it is possible to detect new malware families that employ DGAs without prior knowledge of the malware or algorithm. The tricky bit is tying a particular cluster of new DGA domains to a particular piece of malware.

After detecting the existence of a new DGA, sinkholing can play an important role in classifying the malware threat and eventually locating the "live" C&Cs being operated by the botnet masters. In the case of PushDo, Georgia Tech Information Security Center (GTISC) appears to have lent a helping hand in the process. The academic report (PDF) details the activities that went on behind the scenes to identify the projected domain names that were worth grabbing before the PushDo controllers did and how they were able in turn to establish a likely size of the botnet: 1,038,915 unique IP addresses.

There are still a lot of things to be learned before the takedown of resilient DGA-based botnets can become an operational procedure for incident response teams and law enforcement.

While this new analysis of the new PushDo DGA capability moves the ball forward, the impact on the criminals behind the botnet is likely insignificant. If anything, those criminals now have a better understanding of the frailty of their particular DGA implementation and could take simple steps to make it much more difficult to sinkhole the critical domain names that allowed the researchers to enumerate part of their botnet in the first place.

With all that said, I'm reminded of a quote from "A Nightmare on Elm Street" after one particularly gruesome scene in which the ambulance crew member looks around at the carnage and states, "We don't need a stretcher in here. We need a mop!" Gunter Ollmann serves as CTO for IOActive Inc. where he is responsible for the strategic vision of the security services portfolio, driving new research areas and bringing new services to market. With over two decades in the information security arena, Gunter has stared down ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2012-0871
Published: 2014-04-18
The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/.

CVE-2012-6646
Published: 2014-04-18
F-Secure Anti-Virus, Safe Anywhere, and PSB Workstation Security before 11500 for Mac OS X allows local users to disable the Mac OS X firewall via unspecified vectors.

CVE-2013-4279
Published: 2014-04-18
imapsync 1.564 and earlier performs a release check by default, which sends sensitive information (imapsync, operating system, and Perl version) to the developer's site.

Best of the Web