Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:20 PM

Much Ado About PushDo

We don't need a stretcher -- we need a mop

For a botnet that has been "taken down" more times than Freddie in the "Nightmare on Elm Street" movie series, PushDo seems to be doing very well despite past efforts. As if to forestall future takedown attempts, PushDo has added a new botnet recovery technique (PDF) capable of further defeating earlier takedown strategies.

Last week we were warned by Dell SecureWorks and Damballa that the PushDo malware had borrowed a resiliency feature previously encountered in malware, such as Bobax, Sinowal, and Murofet. This domain generation algorithm (DGA) capability forms the fallback mechanism should the original, "hard coded" command-and-control (C&C) be taken down. In the PushDo case, the DGA uses a predefined algorithm to poll 1,380 unique domain names each day.

While I've covered the how and why of DGAs a few times in the past (and would direct readers to last year's blog post "Domain Generation Algorithms in Stealthy Malware" as a primer on the topic), it would seem that security teams are still struggling to grasp the significance of the technique.

At some point recently while security researchers were observing the domains being employed by the PushDo DGA, the malware authors tweaked their algorithm -- jumping from 1,380 .COM domains to .KZ domains. This minor change in algorithm settings had a noticeable and immediate impact on signature detection systems until the signatures were updated. That's the beauty of the approach. A minor tweak of the algorithm undoes much of the actionable intelligence that had previously been extracted from a captured PushDo malware sample, either through manual reverse-engineering efforts or automated dynamic analysis.

Combating a botnet's DGA capability is not an impossible or trivial task, but it does require approaches outside of traditional takedown practices -- in particular, the need to observe large amounts of data from networks already infected with the malware, and the ability to sinkhole domain names that have a high probability of being generated by the algorithm and are not yet in use by the botnet operators.

By observing DNS traffic (both successfully resolved and, more critically, unsuccessfully resolved queries), DGA detection techniques such as those disclosed last year at the 21st USENIX Security Symposium show how it is possible to detect new malware families that employ DGAs without prior knowledge of the malware or algorithm. The tricky bit is tying a particular cluster of new DGA domains to a particular piece of malware.

After detecting the existence of a new DGA, sinkholing can play an important role in classifying the malware threat and eventually locating the "live" C&Cs being operated by the botnet masters. In the case of PushDo, Georgia Tech Information Security Center (GTISC) appears to have lent a helping hand in the process. The academic report (PDF) details the activities that went on behind the scenes to identify the projected domain names that were worth grabbing before the PushDo controllers did and how they were able in turn to establish a likely size of the botnet: 1,038,915 unique IP addresses.

There are still a lot of things to be learned before the takedown of resilient DGA-based botnets can become an operational procedure for incident response teams and law enforcement.

While this new analysis of the new PushDo DGA capability moves the ball forward, the impact on the criminals behind the botnet is likely insignificant. If anything, those criminals now have a better understanding of the frailty of their particular DGA implementation and could take simple steps to make it much more difficult to sinkhole the critical domain names that allowed the researchers to enumerate part of their botnet in the first place.

With all that said, I'm reminded of a quote from "A Nightmare on Elm Street" after one particularly gruesome scene in which the ambulance crew member looks around at the carnage and states, "We don't need a stretcher in here. We need a mop!"


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Healthcare Industry Sees Respite From Attacks in First Half of 2020
Robert Lemos, Contributing Writer,  8/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: It's a technique known as breaking out of the sandbox kids.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka allows escalation of privileges by local users via manipulations involving files and using symbolic links.
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...
PUBLISHED: 2020-08-13
Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.