Researchers reveal tricks for Cutwail’s endurance
While some botherders have opted for the arguably much safer P2P architecture in order to assure their botnets’ resilience, others are still clinging to the standard distributed C&C option.
Among the latter are the masters of the Cutwail / Pushdo botnet, one of the most long-lived ones around, and their decision must be working well for them as despite several past takedown attempts it is still going strong.
Of course, such a C&C architecture requires a set of tricks to be used so that suspicious network traffic to and from the zombie computers isn’t easily detected, and Trend Micro researchers have shared some of them:
- Combining C&C communication with normal traffic – the latest variants of the malware are made to send out numerous HTTP requests, and among them are those to the C&C servers – often multiple ones, and not necessarily all for fetching the configuration file, which can ultimately lead to small DDoS attacks
- Wielding an encrypted list of 200 domains, but trying to contact only 20 randomly chosen ones at a specific time.
- Using legitimate but compromised big and small domains as C&C servers, so that sending requests to them passes under the radar.
- Using a domain generation algorithm (DGA) in order to rotate C&C servers to keep one or more steps ahead the security industry.
“Pushdo in particular uses calendar date as the seed in its DGA and generates 30 domains for each day. It tries to connect to not only domains for a given day, but also all domains generated from days between 30 days earlier and 15 days latter. In other words, it may try to connect to 1380 domains each day,” the researchers pointed out, adding that this feature can be challenging for behavior and sandboxing analysis.
“Using sandboxing analysis without reverse engineering the malware and figuring its DGA may not be enough to block C&C communication, as the malware generates different domains for each day.”
The days of file-signature detection are over, they say, and AV companies must use a number of alternative approaches to detection, such as sandboxes, deep analysis, reputation services, and more.