Pushdo Revolutions: Communication Encryption and Decoy Traffic
February 4, 2010 at 11:37 am
It’s been two months since we revealed the 3rd Generation Pushdo/Cutwail/Webwail Botnet communication protocol and encryption. Recently, while researching a new bot (GoolBot), we found another Pushdo-like malware spreading with its help. After reversing, it became clear that it was a brand new evolution of the infamous multi-malware loader, for two essential reasons:
- While it used the 2nd generation Pushdo communication protocol (with minor varations), it encrypted its communications and routed them through the SSL port (443); while this encryption looked like SSL at first sight (which would be consistent with the choice of the port), it is actually NOT.
- There is a routine which generates some actual SSL traffic to a list of 339 known web sites (legitimate, for the most part), obviously to drawn bot-to-C&C communication in a sea of decoys.
This latter point explains why so many webmasters are reporting that SSL traffic (coming from different IPs) is much higher than normal these days. The good news for them is that the additional traffic is not malicious (application-wise, that is), and the bad news is that an increase of actual viewers is not the cause of it: it’s just some dummy data generated by calls to the QueryPerformanceCounter API in the latest Pushdo evolution.
Memory snapshots (from a pushdo infected machine) below illustrate the former point about encryption.
Before encryption:
After encryption (same memory space), just before sending:
The response from the C&C server, encrypted alike, contains the rootkit and spam engine modules (classic Pushdo process).
As an interesting side note, as we will see below, here is a list of those C&Cs:
75.126.159.19:443
94.75.233.173:443
94.75.233.174:443
94.75.233.171
94.75.233.172
89.149.254.213
89.149.244.141
89.149.244.23
aaa.oduvanchic.com
aaa.news2days.ru
antisgetout.cn
fire***eye.com
****briankrebs.com
This time, the author(s) was/were kind enough to leave the PDB filepath
in the binary:
“e:\Source\sloader_conc12np1\sloader_conc1\svcloader\Release\svcloader.pdb”
Historically, it has been common for malware authors to send messages hidden within their binaries – often as strings. There are, however, other ways. The last listed domain above, presumably registered by the author(s) of this Pushdo variant used for C&C, is an obvious dig at Brian Krebs, author of Krebs on Security (previously The Washington Post). Indeed, this is not the first time. We had a look at the variant referenced in this post (Harebot, detected by Fortinet as W32/Agent.LKU!tr) that was circulating around January 17th, 2010. In fact, this variant is a dropper that drops the same updated 2nd generation Pushdo. These are the main points we observed with this variant seen around January 17th:
- No SSL traffic is sent: The 2nd generation traffic is still encrypted, but is transmitted on port 80
- The project path is slightly different (see above for current path): ” e:\Source\sloader_conc1\svcloader\Release\svcloader.pdb”
- The same C&C domains are used
Therefore, we can see the development path the authors are taking with this new variation. In January, they had updated to the new encrypted protocol but did not have the SSL traffic module included. Now, in February, we see the SSL module emerge. Could it shed some light on the question “are all Pushdo evolutions from the same author(s)”?
-Kyle
Guillaume Lovet and Derek Manky contributed to this post.
All Posts
Twitter
FaceBook
LinkedIn
YouTube