The countries most affected so far by the Pushdo variant are India, Vietnam and Turkey.
Since Pushdo has resurfaced, the public and private keys used to protect the communication between the bots and the Command and Control Servers have been changed, but the communication protocol remains the same.
Another significant change has been made at the binary level, with new Pushdo binaries containing an encrypted overlay, having the role of a check-up. If the conditions specified in the overlay are not met, the sample does not run properly.
Bitdefender advises that a new DGA (Domain Generation Algorithm) is also currently in use. Although the main structure of the algorithm was preserved, the generated domain names look very different. Only some constants and lists of letters used to compute the domain name length and choose the domain name characters have been updated.
“Yesterday, we managed to successfully intercept Pushdo traffic and gain some idea of the size of this botnet,” states Catalin Cosoi, Chief Security Strategist at Bitdefender. “The sheer scale of this criminal operation, unsophisticated as it may be, is rather troubling and there are indications that the botnet is still in a growth phase. We shall be continuing our investigation as a key priority and further updates shall be made available in the coming days.”
Traffic towards the sinkholed domains originated from more than 11,000 unique IP addresses in a period of 24 hours. The most affected region seems to be Asia, with India and Vietnam topping the list of compromised hosts and accounting for around 10% of infections each. The USA accounts for another 5% of the total, while France, Italy and the Russian Federation has also been affected.