Anti-Malware Research

New Pushdo Variant Surfaces

Bitdefender researchers Alexandru Maximciuc, Cristina Vatamanu, Doina Cosovan, Paul Boț and Răzvan Benchea report that a new PushDo variant emerged yesterday, 14th July 2014. Previous PushDo variants have been  analyzed by Bitdefender researchers previously and the results were presented at AVAR 2013 conference.

The public and private keys used to protect the communication between the bots and the Command and Control Servers have been changed, but the communication protocol remained the same,

Another significant change was made at the binary level. New PushDo binaries contain now an encrypted overlay, having the role of a checkup. If the conditions specified in the overlay aren’t met, the sample doesn’t run properly. Also, now the list containing approximately 100 clean domain names, which hide the hard-coded domain name of the C&C can be found here and not in the binary file.

Also, a new DGA (Domain Generation Algorithm) is currently in use. Although the main structure of the algorithm was preserved (only some constants and lists of letters used to compute the domain name length as well as to choose the domain name characters have been updated), the generated domain names look very differently. After sinkholing one of them, we managed to receive 8840 requests from 2336 unique IP addresses in less than 3 hours. The following image shows the botnet distribution across the globe, which clearly shows that India, Vietnam, and Turkey are in top three most infected countries.


The investigation is ongoing, further updates should become available in the following days.

About the author


Razvan Stoica is a journalist turned teacher turned publicist and technology evangelist. When Bitdefender isn't paying him to bring complex subjects to wide audiences, he enjoys writing fiction, skiing and biking. Razvan Stoica started off writing for a science monthly and was the chief editor of a science fiction magazine for a short while before moving on to the University of Medicine in Bucharest where he lectured on the English language. Recruited by Bitdefender in 2004 to add zest to the company's online presence, he has fulfilled a bevy of roles within the company since. In his current position, he is primarily responsible for the communications and community-building efforts of the Bitdefender research and technology development arm.


Click here to post a comment