In a bad horror movie, the monster is often killed, only to emerge again with renewed dreadfulness. PushDo, a granddaddy of the malware world, is worse than the Frankenstein monster, Dracula, and the Wolfman rolled into one.
The security industry has tried to put a stake in heart of this threat more than once. In fact, it has taken down PushDo at least four times in the past five years. Jeremy Demar, senior threat analyst at Damballa, told us that, though it is not a targeted threat, the malware is being used to spread the reach of the Cutwail botnet, one of the largest active spam bots. Damballa estimates that more than half a million infections have occurred to date. In addition to sending out much of the pharmaceutical spam, Cutwail has been tied to spam that tricks users into downloading the Zeus banking Trojan.
Working together, security research teams at Damballa, Georgia Tech, and Dell SecureWorks have measured the impact of a new variant. In a dual-pronged strategy, PushDo now targets hard-coded command-and-control domains and, if unsuccessful, uses domain generation algorithms (DGAs) as a back door to those servers. DGAs make it easier for malware to escape detection and even reinfect systems infected with previous versions.
“The PushDo malware is primarily a downloader,” said Brett Stone-Gross, a senior security researcher at Dell SecureWorks, told us. “What makes this variant interesting is that the cybercriminals have added measures to hide the packets and to make the exploit more resilient to cut down efforts.” By sending garbage traffic, for example, the malware attempts to make it harder for researchers to determine which server is being exploited.
The malware is designed to be difficult (if not impossible) to spot. There is little that most organizations can do to avoid infection, other than strictly adhering to basic best-practices. Users must be trained not to click on unfamiliar links in emails or on websites. Antivirus software and plug-ins should be kept up to date and patched quickly. “Network detection is key,” Demar said. “The cybercriminals are constantly able to evolve and defeat what is on the host. When a user clicks on a link, they are agreeing to bypass their own security.”
When will the horror of this threat end? It won’t happen anytime soon, according to Demar. “As long as there is money in it, they will find a way to do it. You have to stop the criminals, and anything else is just slowing them down.” In stalking the PushDo malware, perhaps the industry has set its sights on the wrong monster. It might be time to get to the real fiends: the people behind the threat.
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
Hailey, PushDo and a handful of others really are the come back kings of the malware world. It speaks to the exploits design that it is still viable year after year but with any good piece of software a little creativity is usually all you need to figure out a way to do something new with something old. The added complexity involved by using multiple pieces of spyware to achieve a hackers goal is almost enviable especially from a systems administration stand point where I work all day to get unique systems and programs to work together. It is a… Read more »
You touch on a key strategy there though, recruiting the criminals to work for the security authorities. Problem is, there’s probably more money in crime, and if you’ve gone so long without getting caught, you won’t stop until you are.
Not only are these poeple working against the sytstem, they are borrowing business models and approaches from the legitimate folks. Malware as a service is common place now. Exploit kits are broadly availble. That means that the pool of cybercriminals is expanding and the really nefarious types are one step further away from the reach of the authorites as they make their money enabling crime rather than committing it.