Attacks/Breaches
5/22/2013
12:20 PM
Gunter Ollmann
Gunter Ollmann
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Much Ado About PushDo

We don't need a stretcher -- we need a mop

For a botnet that has been "taken down" more times than Freddie in the "Nightmare on Elm Street" movie series, PushDo seems to be doing very well despite past efforts. As if to forestall future takedown attempts, PushDo has added a new botnet recovery technique (PDF) capable of further defeating earlier takedown strategies.

Last week we were warned by Dell SecureWorks and Damballa that the PushDo malware had borrowed a resiliency feature previously encountered in malware, such as Bobax, Sinowal, and Murofet. This domain generation algorithm (DGA) capability forms the fallback mechanism should the original, "hard coded" command-and-control (C&C) be taken down. In the PushDo case, the DGA uses a predefined algorithm to poll 1,380 unique domain names each day.

While I've covered the how and why of DGAs a few times in the past (and would direct readers to last year's blog post "Domain Generation Algorithms in Stealthy Malware" as a primer on the topic), it would seem that security teams are still struggling to grasp the significance of the technique.

At some point recently while security researchers were observing the domains being employed by the PushDo DGA, the malware authors tweaked their algorithm -- jumping from 1,380 .COM domains to .KZ domains. This minor change in algorithm settings had a noticeable and immediate impact on signature detection systems until the signatures were updated. That's the beauty of the approach. A minor tweak of the algorithm undoes much of the actionable intelligence that had previously been extracted from a captured PushDo malware sample, either through manual reverse-engineering efforts or automated dynamic analysis.

Combating a botnet's DGA capability is not an impossible or trivial task, but it does require approaches outside of traditional takedown practices -- in particular, the need to observe large amounts of data from networks already infected with the malware, and the ability to sinkhole domain names that have a high probability of being generated by the algorithm and are not yet in use by the botnet operators.

By observing DNS traffic (both successfully resolved and, more critically, unsuccessfully resolved queries), DGA detection techniques such as those disclosed last year at the 21st USENIX Security Symposium show how it is possible to detect new malware families that employ DGAs without prior knowledge of the malware or algorithm. The tricky bit is tying a particular cluster of new DGA domains to a particular piece of malware.

After detecting the existence of a new DGA, sinkholing can play an important role in classifying the malware threat and eventually locating the "live" C&Cs being operated by the botnet masters. In the case of PushDo, Georgia Tech Information Security Center (GTISC) appears to have lent a helping hand in the process. The academic report (PDF) details the activities that went on behind the scenes to identify the projected domain names that were worth grabbing before the PushDo controllers did and how they were able in turn to establish a likely size of the botnet: 1,038,915 unique IP addresses.

There are still a lot of things to be learned before the takedown of resilient DGA-based botnets can become an operational procedure for incident response teams and law enforcement.

While this new analysis of the new PushDo DGA capability moves the ball forward, the impact on the criminals behind the botnet is likely insignificant. If anything, those criminals now have a better understanding of the frailty of their particular DGA implementation and could take simple steps to make it much more difficult to sinkhole the critical domain names that allowed the researchers to enumerate part of their botnet in the first place.

With all that said, I'm reminded of a quote from "A Nightmare on Elm Street" after one particularly gruesome scene in which the ambulance crew member looks around at the carnage and states, "We don't need a stretcher in here. We need a mop!" Gunter Ollmann serves as CTO for IOActive Inc. where he is responsible for the strategic vision of the security services portfolio, driving new research areas and bringing new services to market. With over two decades in the information security arena, Gunter has stared down ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

CVE-2014-0897
Published: 2014-08-29
The Configuration Patterns component in IBM Flex System Manager (FSM) 1.2.0.x, 1.2.1.x, 1.3.0.x, and 1.3.1.x uses a weak algorithm in an encryption step during Chassis Management Module (CMM) account creation, which makes it easier for remote authenticated users to defeat cryptographic protection me...

CVE-2014-3024
Published: 2014-08-29
Cross-site request forgery (CSRF) vulnerability in IBM Maximo Asset Management 7.1 through 7.1.1.12 and 7.5 through 7.5.0.6 and Maximo Asset Management 7.5.0 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk allows remote authenticated users to hijack the authentication of arbitr...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.