Cybercriminals Roll Out New Variant of PushDo Malware

A new variant of the PushDo malware has already been distributed to tens of thousands of computers across the globe, researchers from Bitdefender reported.

After analyzing the threat, the security firm determined that its authors have made some significant changes compared to earlier PushDo variants. For example, while the communication protocol remains the same, the public and private keys used to encrypt the traffic between bots and the command and control (C&C) server have been changed.

“Another significant change was made at the binary level. New PushDo binaries contain now an encrypted overlay, having the role of a checkup. If the conditions specified in the overlay aren’t met, the sample doesn’t run properly. Also, now the list containing approximately 100 clean domain names, which hide the hard-coded domain name of the C&C can be found here and not in the binary file,” Bitdefender researchers wrote in a blog post.

PushDo resurfaced in May 2013, when security companies noted that its authors had adopted RSA encryption to protect botnet traffic, and added a domain name generation algorithm (DGA) that was capable of generating over 1,300 unique domains names in a single day.

Now, according to Bitdefender, the main structure of the DGA remains mostly the same, but the domain names that are generated are very different.  The new DGA, which currently generates 30 domain names per day, kicks in to re-establish connectivity if none of the hardcoded domains point to a valid C&C server.

The new variant emerged on July 14 and the security firm almost immediately sinkholed some of the domains used by the malware. Bogdan Botezatu, Senior E-threat Analyst at Bitdefender, told SecurityWeek that the new variant is distributed as an update to victims that are already infected with the older version of PushDo. The company’s sinkholing efforts revealed that the threat has already been distributed to 42,501 unique IPs in less than 48 hours.

Data provided by Bitdefender to SecurityWeek shows that the most infections have been spotted in India (4,215), Vietnam (3,637), the United States (2,153), Argentina (2,075), Turkey (2,045), Mexico (1,811), Indonesia (1,755), Iran (1,561), Italy (1,393) and Thailand (1,107). Hundreds of infections have been detected in Egypt, Taiwan, the Philippines, Peru, Brazil, France, Russia, Malaysia, Poland, South Africa, Pakistan, Colombia, South Korea, China, Spain, Japan, Germany and the UK.

“The new PushDo variant is only deploying the Cutwail spam component to users but we expect that, once the update process is complete, to see PushDo re-start downloading its usual components (the Cutwail spammer, DDoS Trojans and password stealers),” Botezatu said.