Pushdo has historically (since 2008) had close ties to the Cutwail botnet, often acting as a dropper for it. The reader, however, is reminded: as malware executes on a system it can do almost anything it’s controller wants.
Code execution is code execution, regardless if the malware has previously been used for sending spam, creating traffic for DoS attacks, or exfiltrating stolen business secrets to a drop server used by an advanced persistent threat actor during a nation-state sponsored cyber-espionage campaign.
Previous versions of Pushdo have used DNS smokescreens, URL path randomization, and DGA fall back techniques for obscuring command and control (C2) communication. Recently, a new variant of the Pushdo implant surfaced which uses a new algorithm to generate domains. In an attempt to sever Pushdo communications for our customers, we reverse engineered the Pushdo sample, isolated functionality which generated domains, and reimplemented the algorithm’s logic.
more here..............http://labs.opendns.com/2014/07/31/pushdo-crypter/
Code execution is code execution, regardless if the malware has previously been used for sending spam, creating traffic for DoS attacks, or exfiltrating stolen business secrets to a drop server used by an advanced persistent threat actor during a nation-state sponsored cyber-espionage campaign.
Previous versions of Pushdo have used DNS smokescreens, URL path randomization, and DGA fall back techniques for obscuring command and control (C2) communication. Recently, a new variant of the Pushdo implant surfaced which uses a new algorithm to generate domains. In an attempt to sever Pushdo communications for our customers, we reverse engineered the Pushdo sample, isolated functionality which generated domains, and reimplemented the algorithm’s logic.
more here..............http://labs.opendns.com/2014/07/31/pushdo-crypter/