Bitdefender researchers Alexandru Maximciuc, Cristina Vatamanu, Doina Cosovan, Paul Boț and Răzvan Benchea report that a new PushDo variant emerged yesterday, 14th July 2014. Previous PushDo variants have been analyzed by Bitdefender researchers previously and the results were presented at AVAR 2013 conference.
The public and private keys used to protect the communication between the bots and the Command and Control Servers have been changed, but the communication protocol remained the same,
Another significant change was made at the binary level. New PushDo binaries contain now an encrypted overlay, having the role of a checkup. If the conditions specified in the overlay aren’t met, the sample doesn’t run properly. Also, now the list containing approximately 100 clean domain names, which hide the hard-coded domain name of the C&C can be found here and not in the binary file.
Also, a new DGA (Domain Generation Algorithm) is currently in use. Although the main structure of the algorithm was preserved (only some constants and lists of letters used to compute the domain name length as well as to choose the domain name characters have been updated), the generated domain names look very differently. After sinkholing one of them, we managed to receive 8840 requests from 2336 unique IP addresses in less than 3 hours. The following image shows the botnet distribution across the globe, which clearly shows that India, Vietnam, and Turkey are in top three most infected countries.
The investigation is ongoing, further updates should become available in the following days.