Pushdo Malware and Cutwail Botnet are Back
Since 2008, four times, technology firms and authorities have taken down the prolific Pushdo and Cutwail spam botnet. Yet it keeps resurrecting for more, as per security researchers, as published by threatpost.com dated May 15, 2013.
In the beginning of March 2013, experts at Dell SecureWorks, Georgia Institute of Technology and Damballa Labs found a new type of the malicious software or malware that had taken a domain generation algorithm (DGA) to not only neglect identification by researchers, but also to add resilience.
Cutwail has been one of the biggest spam botnet in the past, signing millions of infected computers that have sent billions of spam message through the years. The malware is installed on infected machine by dropper Trojan, Pushdo. The researchers' team who studied the algorithm also highlighted that it can produce 1,380 unique domains everyday.
The latest domain algorithm acts similar to other back-up C&C (command-and-control) techniques employed by other cyber crook gangs, including the writers of the infamous Zeus malware family. The recent iteration plus DGA abilities, can also ask genuine websites such as universities and ISPs to merge it with usual web traffic and con sandbox type analyses. They added DGA ability enables Pushdo, which may be employed to drop any other, to further obscure itself.
The mass of the recent infections are in Mexico, India, and Iran but other nations like the United States, and are hit by the malware. Researchers discovered many US govt. contractors and military networks tainted with malware that uses the new DGA. The new Pushdo Trojan is accountable for more than one million unique IPs and is multiplying by 35,000 unique IPs everyday, the researchers discovered.
The new DGA strategy is a backup, used only if the malicious software on an infected system is unsuccessful to link with the primary C&C or command-and-control server. "This is an extremely smart method to overpower standard network signature and sandboxing machines that basically block the network communication seen during the dynamic analysis of the malicious binary," the researchers said, as published by crn.com on May 15, 2013.