A Look at Evasion Techniques in the Pushdo Botnet

September 11, 2013 - By Chris Larsen, Jeff Doty

[Some nice research from Jeff in our internal blog a few days ago. Needs a wider audience, since we've seen some folks following the wrong C&C trail. --C.L.]

 

We recently came across a compromised website pushing out a payload that belongs to the Pushdo botnet, a botnet reportedly controlled by a well-funded Eastern European Cybercrime group. This botnet has often been closely associated with the Cutwail spam botnet. In the past, the Cutwail group would spam out payloads for the Pushdo botnet, which in turn serves as an infrastructure to the highest bidder, and has been seen to be distributing popular malware like Zeus and Spyeye.

In the last few months, the Pushdo botnet has been using some interesting evasion techniques -- mainly the use of DGA (Domain Generating Algorithms). DGA is a method to conceal the actual C&C (Command-and-Control) domains that these botnets call out to. Traditionally, malware was coded with a specific domain or IP address to call back to. However, security researchers will eventually discover these domains and either block them or sinkhole them.

Using DGA, modern malware can generate large numbers of domain names that don’t actually exist; this makes life harder for the Good Guys, and whenever the botnet operators are ready they can simply turn some of these domains on -- Bam! Instant botnet.

This particular variant gets a little snarky.

Malware analysts use a variety of tools in order to decompile, debug, and monitor malware samples. During the process of analyzing this particular variant with some of these tools, I noticed some interesting network traffic coming from the process it created...

screenshot of some malware traffic

An SMTP request to PracticalMalwareAnalysis.com. Hmmm....

This is interesting, because I know this website. I’ve even met the guys who run it.

PracticalMalwareAnalysis.com is a companion site to a book with the same title, written by Michael Sikorski and Andrew Honig. It’s a great book on how to decompile, debug and monitor malware.

cover shot of Practical Malware Analysis book

 

So would the Pushdo people be spamming their site just for the fun of it, or was it something else?

 

With the release of the book, the two authors created a tool called FakeNet which does exactly what it sounds like. It creates a fake network to help monitor the network traffic of a malware sample.

screenshot of FakeNet description

Could the malware be detecting the tool I was using? Seems kind of random to spam that site for no reason.

So I tried analyzing the malware without fakenet... Sure enough, I got completely different traffic this time.

If I'm running FakeNet, the sample quickly spams practicalmalwareanalysis.com and then starts up a DGA to create traffic to a bunch of random ".kz" domains. This appears to be a purely diversionary tactic, to fool analysts to chase after a red herring.

screenshot of malware traffic to fake .KZ domains

If you're not running FakeNet, the malware behaves very differently. After creating some extra svchost services, it uses a different evasion technique than before: sometimes you don’t need to hide your C&C traffic, you only need to blend in with the rest of the crowd...

screenshot of hiding C&C traffic among legit domains

The sample quickly starts making connections to a ton of random legitimate domains. In a 60-second period, I counted 507 requests to random websites. Hidden within those requests is one, sometime two, to an actual C&C server. And, if you let it run long enough, the payload then reveals its true intent -- spam.

screenshot of spam generated by the malware

screenshot2 of spam generated by the malware

All of the emails are sent from the same spoofed address: GISPROD@citizensbank.com. These emails are sent to a fairly large list of email addresses.

I can’t confirm how they collected their list, but my suspicion is that they used some form of brute forcing likely addresses, because a guy named "abrooks" showed up several times, with a different domain each time.

The emails have a zip file attached that contains the next payload: an executable file with a PDF icon. It wasn't well detected when I checked:

screenshot of virustotal results

This payload is just a downloader for a Zeus variant. Like a typical Zeus/Zbot payload, it started communicating through a peer-to-peer network until it found an update that it pulled down. The payload then began to search for credentials to harvest from the usual programs: Mozilla, Outlook, Keypass, Filezilla etc.

 

--J.D.