In our recent little ditty on Network-based Threat Intelligence, we mentioned how resilience has become a major focus for command and control networks. The Pushdo botnet’s recent rise from the ashes (for the fourth time!) illustrates this perfectly.
Four times since 2008, authorities and technology companies have taken the prolific PushDo malware and Cutwail spam botnet offline. Yet much like the Energizer Bunny, it keeps coming back for more.
It seems the addition of DGA (domain generating algorithms) to the malware makes it more effective at finding C&C nodes, even if the main set of controllers is taken down.
The added domain generation algorithm capabilities enable PushDo, which can also be used to drop any other malware, to further conceal itself. The malware has two hard-coded command and control domains, but if it cannot connect to any of those, it will rely on DGA to connect instead.
This kind of resiliency is bad news for the folks trying to cut the head off the snake. But we have seen this movie before. It reminds us of music pirates shifting from Napster’s central (vulnerable) store of stolen music, to today’s distributed networks of P2P clients/servers that has so far been impossible to eliminate.
Disrupting C&C operations is a good thing. But it’s not a solution, which is the issue with the malware we deal with. As we mentioned in Network-based Malware Detection 2.0 post yesterday, you may get to a point where you’re forced to just accept that endpoints cannot be trusted. And you will need to be okay with that.