Info on the Pushdo DGA

Our colleagues from Dell SecureWorks who never reply to our emails published a research paper about Pushdo and it’s domain generation algorithm (DGA). DGAs are implemented malware to evade takedowns. Other malware that features DGAs are Conficker A/B/C, ZeuS Gameover, MultiBanker, Shiz, Bamital, Sinowal, ZeroAccess, TDSS and others.

This is the Pushdo DGA:

Pushdo DGA

Be aware that the old variant uses the TLD “.com”, while the new one uses “.kz”. It generates 30 domains a day, if no active C&C found goes back up to 30 days and then forward up to 15 days, resulting in total of 1.380 ‘possible’ domains on a single day.

Before it hits the DGA, however, it tries hard-coded C&Cs. The current one is lyuchta.org.

We have implemented the DGA and checked for active domains today (this is just an excerpt, the entire list is bigger):

Date,Day Offset,Domain,IP,Owner
5/22/2013,0,wamanleasux.com,208.73.211.34,Parked/expired
5/22/2013,-1,ceisandir.com,208.73.211.34,Parked/expired
5/22/2013,-3,sicafjodokw.com,208.73.211.152,Parked/expired
5/22/2013,-5,tirmeafozvil.com,208.73.211.152,Parked/expired
5/22/2013,-6,winirqoqt.com,208.73.211.152,Parked/expired
5/22/2013,-7,woqhugpeav.com,208.73.211.152,Parked/expired
5/22/2013,-8,canxirpank.com,80.79.119.118,Criminals
5/22/2013,-9,cunirgugp.com,208.73.211.152,Parked/expired
5/22/2013,-10,heigoqqonu.com,208.73.211.152,Parked/expired
5/22/2013,-11,gafwozlozmuc.com,208.73.211.152,Parked/expired
5/22/2013,-12,waduxovosup.com,208.73.211.152,Parked/expired
5/22/2013,-14,hugdusupsu.com,208.73.211.152,Parked/expired
5/22/2013,-15,kiluxkoju.com,208.73.211.152,Parked/expired
5/22/2013,-16,foqusulih.com,208.73.211.152,Parked/expired
5/22/2013,-17,jocoqhotowi.com,208.73.211.152,Parked/expired
5/22/2013,-18,suxlukeatupw.com,208.73.211.152,Parked/expired
5/22/2013,-19,manjiseovatx.com,208.73.211.152,Parked/expired
5/22/2013,-20,goxoqvacanq.com,208.73.211.152,Parked/expired
5/22/2013,-21,jeagugkato.com,208.73.211.152,Parked/expired
5/22/2013,-22,lozjafupvabi.com,208.73.211.152,Parked/expired
5/22/2013,-23,puxjeofobaja.com,208.73.211.152,Parked/expired
5/22/2013,-24,xoklupeilu.com,208.73.211.152,Parked/expired
5/22/2013,-25,kamozsoca.com,208.73.211.152,Parked/expired
5/22/2013,-26,nafkasictirx.com,208.73.211.152,Parked/expired
5/22/2013,-27,tirhakokmuph.com,208.73.211.152,Parked/expired
5/22/2013,-28,batqeodiji.com,208.73.211.152,Parked/expired
5/22/2013,-29,huxmozmuriji.com,208.73.211.152,Parked/expired
5/22/2013,1,himoviwam.com,208.73.211.34,Parked/expired
5/22/2013,2,wanjozrilj.com,208.73.211.34,Parked/expired
5/22/2013,3,tirderirkeot.com,208.73.211.34,Parked/expired
5/22/2013,4,muqafdilf.com,208.73.211.34,Parked/expired

Going back in time we can see our colleagues from Damballa / Dell SecureWorks / Georgia Tech and Anubis Networks running sinkholes:

Date,Day Offset,Domain,IP,Owner
4/1/2013,0,xokgopozca.com,208.73.211.152,Parked/expired
4/1/2013,-2,bozrokivoq.com,208.73.211.152,Parked/expired
4/1/2013,-8,huxmeorugjoz.com,198.199.69.31,Sinkhole by Georgia Institute of Technology
4/1/2013,-9,keidilrat.com,198.199.69.31,Sinkhole by Georgia Institute of Technology
4/1/2013,-27,linaqiwicro.com,195.22.26.231,Sinkhole by Anubis Networks
4/1/2013,-30,dilfanhats.com,143.215.130.33,Sinkhole by Georgia Institute of Technology
4/1/2013,1,qickugfivi.com,208.73.211.152,Parked/expired
4/1/2013,3,wodaheodo.com,208.73.211.152,Parked/expired
4/1/2013,4,quceifeiq.com,208.73.211.152,Parked/expired
4/1/2013,5,suhumoqdo.com,208.73.211.152,Parked/expired
4/1/2013,6,beibanqeaman.com,208.73.211.152,Parked/expired
4/1/2013,7,xukorokfe.com,208.73.211.152,Parked/expired

Update: In an earlier version we stated that there are a lot collisions generated with the DGA. This is not the case.