One of the largest and most notorious spam botnets, known for sending out millions of spam messages every day, has gotten a new communications mechanism that makes it more resilient to take downs, according to security researchers’ analysis. A team of security experts from Dell (NSDQ:Dell) SecureWorks, Damballa Labs and the Georgia Institute of Technology have discovered a new domain name generation algorithm that is part of the Pushdo malware’s back-up command-and-control mechanism. The report, issued by Damballa and Dell SecureWorks, found the malware associated with Pushdo can evade both intrusion detection and prevention systems as well as most antimalware technologies by mimicking legitimate connection attempts to benign websites to confuse signature-based systems.<\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
“This latest version has a fall-back C&C mechanism that is based upon a domain name generation algorithm (DGA),” wrote Manos Antonakakis, Damballa’s Chief Scientist and lead researcher on the report, issued Wednesday. “If the malware cannot successfully resolve any of the domains that are hard coded into it, it will start using the DGA in an effort to connect to the currently active DGA C&C.”<\/p>\n
Researchers at antibotnet vendor Damballa Labs performed malware analysis on the new Pushdo variant and monitored several of the domains generated by the new domain algorithm to measure the scope of the new threat.<\/p>\n
The latest domain generation algorithm technique is a backup, only used if the malware on an infected machine fails to connect with the primary command-and-control server.<\/p>\n
“This is a very smart way to defeat generic network signature and sandboxing systems that simply block the network communication observed during the dynamic analysis of the malicious binary,” the researchers said<\/p>\n