Trend Micro experts have analyzed the latest Cutwail variants

Jun 25, 2013 08:01 GMT  ·  By

The Cutwail spamming botnet, also known as Pushdo, has been around for quite some time. The botnet has been taken down several times in the past, but it keeps coming back with new tricks.

According to Trend Micro researchers, the botnet’s creators have implemented several techniques to make sure their creation’s command and control (C&C) communications evade security solutions.

First of all, to make the malicious traffic inconspicuous, Cutwail variants send out numerous HTTP requests. However, only a few of these requests are made to the real C&C server, the rest being designed to act as a distraction.

The malware sample analyzed by Trend Micro holds an encrypted list of 200 domains, including ones of large companies and educational institutions, but also some shady websites. Each time, the malware selects only 20 of these domains at random.

Although this is not the purpose of the malware, the requests sent to these websites eat up a lot of bandwidth, implicitly launching distributed denial-of-service (DDOS) attacks against them.

This C&C communication technique also protects the malware against automatic sandbox systems.

“Before adding a server into the C&C blacklist, a system needs to check the whitelist first. If the whitelist is not good enough, there may be some false positives and inadvertently make legitimate websites inaccessible to users,” Trend Micro Threat Researcher Spencer Hsieh noted in a blog post.

Another interesting feature integrated into Cutwail is the domain generation algorithm (DGA), which makes the botnet more difficult to disrupt.

“Pushdo in particular uses calendar date as the seed in its DGA and generates 30 domains for each day. It tries to connect to not only domains for a given day, but also all domains generated from days between 30 days earlier and 15 days later. In other words, it may try to connect to 1380 domains each day,” Hsieh wrote.

“This DGA feature can be challenging for behavior and sandboxing analysis. Using sandboxing analysis without reverse engineering the malware and figuring its DGA may not be enough to block C&C communication, as the malware generates different domains for each day.”