Researchers reveal tricks for Cutwail's endurance
Posted on 25.06.2013
While some botherders have opted for the arguably much safer P2P architecture in order to assure their botnets' resilience, others are still clinging to the standard distributed C&C option.


Among the latter are the masters of the Cutwail / Pushdo botnet, one of the most long-lived ones around, and their decision must be working well for them as despite several past takedown attempts it is still going strong.

Of course, such a C&C architecture requires a set of tricks to be used so that suspicious network traffic to and from the zombie computers isn't easily detected, and Trend Micro researchers have shared some of them:
  • Combining C&C communication with normal traffic - the latest variants of the malware are made to send out numerous HTTP requests, and among them are those to the C&C servers - often multiple ones, and not necessarily all for fetching the configuration file, which can ultimately lead to small DDoS attacks
  • Wielding an encrypted list of 200 domains, but trying to contact only 20 randomly chosen ones at a specific time.
  • Using legitimate but compromised big and small domains as C&C servers, so that sending requests to them passes under the radar.
  • Using a domain generation algorithm (DGA) in order to rotate C&C servers to keep one or more steps ahead the security industry.
"Pushdo in particular uses calendar date as the seed in its DGA and generates 30 domains for each day. It tries to connect to not only domains for a given day, but also all domains generated from days between 30 days earlier and 15 days latter. In other words, it may try to connect to 1380 domains each day," the researchers pointed out, adding that this feature can be challenging for behavior and sandboxing analysis.

"Using sandboxing analysis without reverse engineering the malware and figuring its DGA may not be enough to block C&C communication, as the malware generates different domains for each day."

The days of file-signature detection are over, they say, and AV companies must use a number of alternative approaches to detection, such as sandboxes, deep analysis, reputation services, and more.









Spotlight

How safe are Android-based children’s tablets?

Looking for an Android-based tablet for your child but don't know which one to choose? If you are concerned about the device's protection against random hackers, Bluebox Security has just released a review of the nine most popular Android tablet models aimed specifically at children.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Thu, Feb 26th
    COPYRIGHT 1998-2015 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //