Fresh Pushdo Sample Contaminates Over 100,000 PCs

According to researchers at the Counter Threat Unit of Dell SecureWorks a security company, Trojan Pushdo is back in one fresh form infecting over a lakh PCs ever-since August 2012 started as it employs one fresh method for countering security researchers attempting at examining the botnet.

Senior Security Researcher Brett Stone-Gross at Dell SecureWorks' Counter Threat Unit (CTU) explains that just like a majority of botnets, PCs, which become contaminated with Pushdo, proceed for establishing communication with the botnet's central C&C (command-and-control) server for receiving commands. However, in this case the maneuverability is slightly different. Here the bot-controllers particularly designed the malware to make it issue Hypertext Transfer Protocol (HTTP) queries to about 300, not so popular though genuine Internet sites that mingle with traffic actually associated with the C&C system, Stone-Gross continues.

The researcher elaborates that the reason why the HTTP queries are delivered onto lawful Internet sites is that identification of the C&C traffic that too utilizes HTTP becomes more difficult. Consequently, security analysts are compelled to sort out all HTTP queries so the central C&C can be located and subsequently identification and eliminating processes can be carried out, Stone-Gross adds.

Furthermore, Dell SecureWorks tells that the kind of traffic Pushdo produces is related to an algorithm seemingly generated randomly which creates 'GETS' and 'Power-On Self Test' (POST) queries, which reach the websites' beginning section, alternatively one arbitrarily created page. The original C&C related traffic has been traced to systems within Kazakhstan and Russia, say analysts of the assault at Dell SecureWorks.

Importantly, the company advises that when web-masters observe a rise in traffic for destinations that don't exist they require sieving the queries using a distinct string namely "xclzve" that seems as added to traffic which Pushdo botnet produces.

In the meantime, Pushdo's current utilization of the technique in discussion for camouflaging its command-and-control exchange of messages isn't unknown. During February 2010, a previous variant created bogus Secure Sockets Layer requests for lawful Internet sites when the botnet issued instructions via port 443 of Transmission Control Protocol (TCP), the port being for Secure Sockets Layer by default.

Related article: Force 9 and TalkTalk Are the Highest Spam-Delivering ISPs

» SPAMfighter News - 9/17/2012