Command-and-control (C&C) server communication is essential for botnet creators to control zombie computers (or bots). To hide this from security researchers, they often use rootkits and other “tricks”. However, hiding the network traffic – specifically from monitoring outside an infected computer – is not an easy task, but is something that the botnet creators have improved through the years.
Detecting and blocking C&C communication is one way to protect users against the dangers of botnets. Threat actors know this, thus they have developed different ways to make the C&C communication more resistant to network security products.
In this report, we will discuss how the latest wave of Pushdo variants keep its C&C communication channel under the radar. Known as a spamming botnet, Pusho/Cutwail was taken down several times in the past. They are also known to distribute ZeuS/ZBOT variants.
Pushdo Hides Among the Crowd
If you are a potential attacker, the best way to not get caught is to blend your communications with normal/legitimate traffic and appear as inconspicuous as possible. Pushdo creators understand this and adopted this strategy into their latest malware.
As shown in Figure 1, these Pushdo variants send out numerous HTTP requests. Among them are requests to the real C&C server. However, most of these requests serve as mere distractions.
Figure 1. PUSHDO Network Traffic Snippet
The malware sample we analyzed contains an encrypted list of 200 domains (see Figure 2). It randomly chooses 20 among them and requests either the root path or the path of “?ptrxcz_[random]”. Some of these domains belong to large companies or famous educational institutions, while some are obscure websites. This makes C&C server identification using network traffic analysis more difficult as it can be tough to distinguish real C&C connections among the fake ones.
Figure 2. Decrypted list of the 200 domains
Another by-product of this fake C&C feature is the potential distributed denial-of-denial (DDoS) the malware can initiate against the 200 web severs on the list. Though the true intention is not to execute this attack, the huge of number of useless requests eats up a lot of bandwidth of these websites.
Sandbox analysis is a popular tool in malware analysis. Many organizations have adopted some kind of automatic sandbox system to detect and block unknown malware. This fake C&C feature, however, poses new challenges to these systems. Before adding a server into the C&C blacklist, a system needs to check the whitelist first. If the whitelist is not good enough, there may be some false positives and inadvertently make legitimate websites inaccessible to users.
Pushdo DGA Complicates Matters
Another noteworthy PUSHDO feature is its domain generation algorithm (DGA). DGA is a popular among botnet malware these days. It’s purpose is to make malware more resistant to C&C takedowns.
Pushdo in particular uses calendar date as the seed in its DGA and generates 30 domains for each day. It tries to connect to not only domains for a given day, but also all domains generated from days between 30 days earlier and 15 days latter. In other words, it may try to connect to 1380 domains each day. It seems most of them are parked domains right now and point to an advertisement page (Figure 3).
Figure 3. Screenshot of Pushdo Generated Domain
This DGA feature can be challenging for behavior and sandboxing analysis. Using sandboxing analysis without reverse engineering the malware and figuring its DGA may not be enough to block C&C communication, as the malware generates different domains for each day.
During our analysis, we effectively monitored Pushdo’s C&C using Trend Micro Web Reputation Services feedback. As shown in Figure 4, there were attempts to connect to one of the C&C servers. The query requests came from different locations, suggesting that there are still other computers infected by this malware.
Figure 4. Requests sent to Trend Micro Web Reputation Service
Traditional method of combating malware, such as file-signature detection, may not be sufficient in today’s threat landscape.Malware authors and the likes have developed effective tactics against signature-based detection like polymorphism and use of packers.
Monitoring behavior of a malware inside sandbox is a good approach to address this challenge – but they are not stand alone solution. Malware like PUSHDO proves that a relying on one solution is not enough. Such technology, coupled with deep analysis and tools like Web Reputation Services, provides more robust protection against these threats.