Bitdefender has discovered a new deadlier variant of the Pushdo Trojan and deadly it is. It has infected and compromised more than 11000 computer systems across the world in just 24 hours after its release. Most of the infections have taken place in India but machines in UK, US and France have also been compromised by Pushdo Trojan.
Bitdefender has identified the number of infected computers via a sinkhole domain which it believes is connected to the botnet’s control and command server. Other than India, networks from Turkey and Vietnam have also been heavily infected with this variant. In UK, Bitdefender says, that 77 machines have been infected in the past 24 hours. Traffic to these seized sinkholes came from 11,000 unique IP addresses in a period of 24 hours. These pings (packets) represent infected host botnets connecting their mother server for instructions.
As said above, Asia is the top most infected and compromised region with with India, and Vietnam topping the list of compromised hosts. Asia accounts from 10 percent of the 11000 infections in 24 hours while United States accounts for another 5 percent.
“We managed to successfully intercept Pushdo traffic and gain some idea of the size of this botnet,” states Catalin Cosoi, chief security strategist at Bitdefender.
“The sheer scale of this criminal operation, unsophisticated as it may be, is rather troubling and there are indications that the botnet is still in a growth phase. We shall be continuing our investigation as a key priority and further updates shall be made available in the coming days.”
Pushdo trojan is a deadly infection because of the payload it delivers. It is known to distribute the deadly banking malware Zeus as well SpyEye as payload on infected systems. But its primary objective is spamming. Pushdo uses components called Cutwail that are frequently installed on compromised PCs to spam the network. Pushdo has proved to be very resilient even for its own standards. Authorities have taken down four Pushdo Command and Control servers yet a new variant with a new mother C & C springs up time and again. And everytime a new variant arises, the public and private keys used to protect the communication between the bots and the C&C servers are changed to avoid detection by security firms, but the communication protocol remains the same.