Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:20 PM

Much Ado About PushDo

We don't need a stretcher -- we need a mop

For a botnet that has been "taken down" more times than Freddie in the "Nightmare on Elm Street" movie series, PushDo seems to be doing very well despite past efforts. As if to forestall future takedown attempts, PushDo has added a new botnet recovery technique (PDF) capable of further defeating earlier takedown strategies.

Last week we were warned by Dell SecureWorks and Damballa that the PushDo malware had borrowed a resiliency feature previously encountered in malware, such as Bobax, Sinowal, and Murofet. This domain generation algorithm (DGA) capability forms the fallback mechanism should the original, "hard coded" command-and-control (C&C) be taken down. In the PushDo case, the DGA uses a predefined algorithm to poll 1,380 unique domain names each day.

While I've covered the how and why of DGAs a few times in the past (and would direct readers to last year's blog post "Domain Generation Algorithms in Stealthy Malware" as a primer on the topic), it would seem that security teams are still struggling to grasp the significance of the technique.

At some point recently while security researchers were observing the domains being employed by the PushDo DGA, the malware authors tweaked their algorithm -- jumping from 1,380 .COM domains to .KZ domains. This minor change in algorithm settings had a noticeable and immediate impact on signature detection systems until the signatures were updated. That's the beauty of the approach. A minor tweak of the algorithm undoes much of the actionable intelligence that had previously been extracted from a captured PushDo malware sample, either through manual reverse-engineering efforts or automated dynamic analysis.

Combating a botnet's DGA capability is not an impossible or trivial task, but it does require approaches outside of traditional takedown practices -- in particular, the need to observe large amounts of data from networks already infected with the malware, and the ability to sinkhole domain names that have a high probability of being generated by the algorithm and are not yet in use by the botnet operators.

By observing DNS traffic (both successfully resolved and, more critically, unsuccessfully resolved queries), DGA detection techniques such as those disclosed last year at the 21st USENIX Security Symposium show how it is possible to detect new malware families that employ DGAs without prior knowledge of the malware or algorithm. The tricky bit is tying a particular cluster of new DGA domains to a particular piece of malware.

After detecting the existence of a new DGA, sinkholing can play an important role in classifying the malware threat and eventually locating the "live" C&Cs being operated by the botnet masters. In the case of PushDo, Georgia Tech Information Security Center (GTISC) appears to have lent a helping hand in the process. The academic report (PDF) details the activities that went on behind the scenes to identify the projected domain names that were worth grabbing before the PushDo controllers did and how they were able in turn to establish a likely size of the botnet: 1,038,915 unique IP addresses.

There are still a lot of things to be learned before the takedown of resilient DGA-based botnets can become an operational procedure for incident response teams and law enforcement.

While this new analysis of the new PushDo DGA capability moves the ball forward, the impact on the criminals behind the botnet is likely insignificant. If anything, those criminals now have a better understanding of the frailty of their particular DGA implementation and could take simple steps to make it much more difficult to sinkhole the critical domain names that allowed the researchers to enumerate part of their botnet in the first place.

With all that said, I'm reminded of a quote from "A Nightmare on Elm Street" after one particularly gruesome scene in which the ambulance crew member looks around at the carnage and states, "We don't need a stretcher in here. We need a mop!"

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time) scripts.
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored XSS issues in all parameters of the Start Data Viewer feature of the /cgi-bin/loaddata.py script.
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected.
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 devices allow OS command injection via the TRACE field of the resource ping.cmd. The NTP-2 device is also affected.
PUBLISHED: 2020-02-17
Symmetricom SyncServer S100, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow stored XSS via the newUserName parameter on the "User Creation, Deletion and Password Maintenance" screen (when creating a new user).