Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:20 PM

Much Ado About PushDo

We don't need a stretcher -- we need a mop

For a botnet that has been "taken down" more times than Freddie in the "Nightmare on Elm Street" movie series, PushDo seems to be doing very well despite past efforts. As if to forestall future takedown attempts, PushDo has added a new botnet recovery technique (PDF) capable of further defeating earlier takedown strategies.

Last week we were warned by Dell SecureWorks and Damballa that the PushDo malware had borrowed a resiliency feature previously encountered in malware, such as Bobax, Sinowal, and Murofet. This domain generation algorithm (DGA) capability forms the fallback mechanism should the original, "hard coded" command-and-control (C&C) be taken down. In the PushDo case, the DGA uses a predefined algorithm to poll 1,380 unique domain names each day.

While I've covered the how and why of DGAs a few times in the past (and would direct readers to last year's blog post "Domain Generation Algorithms in Stealthy Malware" as a primer on the topic), it would seem that security teams are still struggling to grasp the significance of the technique.

At some point recently while security researchers were observing the domains being employed by the PushDo DGA, the malware authors tweaked their algorithm -- jumping from 1,380 .COM domains to .KZ domains. This minor change in algorithm settings had a noticeable and immediate impact on signature detection systems until the signatures were updated. That's the beauty of the approach. A minor tweak of the algorithm undoes much of the actionable intelligence that had previously been extracted from a captured PushDo malware sample, either through manual reverse-engineering efforts or automated dynamic analysis.

Combating a botnet's DGA capability is not an impossible or trivial task, but it does require approaches outside of traditional takedown practices -- in particular, the need to observe large amounts of data from networks already infected with the malware, and the ability to sinkhole domain names that have a high probability of being generated by the algorithm and are not yet in use by the botnet operators.

By observing DNS traffic (both successfully resolved and, more critically, unsuccessfully resolved queries), DGA detection techniques such as those disclosed last year at the 21st USENIX Security Symposium show how it is possible to detect new malware families that employ DGAs without prior knowledge of the malware or algorithm. The tricky bit is tying a particular cluster of new DGA domains to a particular piece of malware.

After detecting the existence of a new DGA, sinkholing can play an important role in classifying the malware threat and eventually locating the "live" C&Cs being operated by the botnet masters. In the case of PushDo, Georgia Tech Information Security Center (GTISC) appears to have lent a helping hand in the process. The academic report (PDF) details the activities that went on behind the scenes to identify the projected domain names that were worth grabbing before the PushDo controllers did and how they were able in turn to establish a likely size of the botnet: 1,038,915 unique IP addresses.

There are still a lot of things to be learned before the takedown of resilient DGA-based botnets can become an operational procedure for incident response teams and law enforcement.

While this new analysis of the new PushDo DGA capability moves the ball forward, the impact on the criminals behind the botnet is likely insignificant. If anything, those criminals now have a better understanding of the frailty of their particular DGA implementation and could take simple steps to make it much more difficult to sinkhole the critical domain names that allowed the researchers to enumerate part of their botnet in the first place.

With all that said, I'm reminded of a quote from "A Nightmare on Elm Street" after one particularly gruesome scene in which the ambulance crew member looks around at the carnage and states, "We don't need a stretcher in here. We need a mop!"

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...