Botnet Masquerade Leads to Disruption at Small Websites

Cyber-criminals try to hide their communications in a deluge of traffic to other Web addresses, a tactic that overwhelms smaller sites.

A malicious program, designed by cyber-criminals to help them build their botnets, is causing disruption at hundreds of small Websites as the program attempts to hide its communications by sending out a large number of fake requests, said security firm Dell Secureworks Sept. 5.

The software, known as Pushdo, communicates with its command-and-control servers-central systems used by criminals to manage their compromised computers-and downloads other malware to construct a botnet. In this case, the downloader infects systems with Cutwail, a popular program for creating spam botnets. So far, the attack has infected more than 100,000 computers-and possibly hundreds of thousands of computers, said Brett Stone-Gross, a security researcher with managed security provider Dell Secureworks.

The operation is fairly standard except that the attackers attempt to hide their communications by creating a gaggle of fake data, which they send to a few hundred legitimate Websites. Even a small number of requests can overwhelm such sites when it comes from hundreds of thousands of computers, he said.

"It's pretty intensive," Stone-Gross said. "It definitely generates on the order of a megabyte every few seconds."

While such traffic volume is far from the major denial-of-service attacks that are common today, the constant stream of data is enough to swamp a smaller Website's bandwidth allotment and make identifying the fake data more difficult.

The type of traffic generated by the Pushdo variant depends on a pseudo-random algorithm that creates POST and GET requests that go to the site's home page or a randomly generated page. The actual command-and-control traffic goes back to servers in Russia and Kazakhstan, according to Dell Secureworks' analysis of the attack. The Cutwail botnet used a similar method to hide its communications by sending it as secure HTTP traffic.

"If the malware generates 300 HTTP requests and you are a malware analyst, you have to dig through the 300 requests to find the one that actually goes to the command-and-control server," Stone-Gross said.

The Websites are otherwise not related to the attack and not infected with malware, he said.

Web masters that see an increase in traffic to nonexistent addresses should filter out requests with the unique string "xclzve_", which appears to be included in the traffic generated by the Pushdo botnet. An Internet search on the term turns up a number of discussions of the traffic dating back to the beginning of August.

Internet users should keep their browsers and browser plug-ins updated, as much of the malware is spread through drive-by downloads, a technique where users are sent a link to a Website which then attempts to infect visitors. Antivirus technology can help, although such host-based measures fail to catch many new threats.

Dell Secureworks "recommends that businesses continue to educate employees about the risks associated with clicking URLs, especially those contained in email, and to enforce policies to keep the software on systems up-to-date," the company said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...