Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Inside a Modern Malware Distribution System



 By: Ryan Naraine
2007-12-21
Article Rating:starstarstarstarstar / 9


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Analysis of the Pushdo Trojan provides a glimpse of the tracking and hiding techniques used by online criminals.

SecureWorks anti-malware guru Joe Stewart is not one to be intimidated by advances in online crime activity.

But, when he reversed the backend code associated with the Pushdo Trojan downloader, he discovered a modern malware distribution system fitted with complex tracking mechanisms and hiding techniques—another clear sign that virus fighters are up against a clever and sophisticated enemy.

Stewart, a veteran reverse-engineer who spends the majority of his time breaking apart malware samples, said the control server that powers Pushdo is preloaded with about 421 different malware executables—waiting to be delivered to infected Windows machines.

The malware itself uses electronic greeting card lures—spammed to e-mail inboxes—to trick Windows users into launching the executable.

Once the Trojan is executed, Pushdo immediately reports back to an IP address embedded in the code and connects to a server that pretends to be an Apache Web server and listens on TCP port 80.

"We've seen examples of sophisticated Trojan downloaders but this is the first time I've gotten into the backend controller to see the level of tracking it's doing," Stewart said in an interview with eWEEK. "This one does a lot of high-level reconnaissance, making sure it hits the right targets," he said.

For starters, the Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes to allow the malware distributor to limit one of the malware loads from infecting users located in a particular country. This also provides to target a specific country or countries with a specific payload, Stewart said.

Resource Library:
Every victim is tracked meticulously. Stewart found that Pushdo logs the IP address of the infected machine, whether or not it was an administrator account on the machine.

It also goes a step further, logging the victim's primary hard drive serial number, tracking whether the file system is NTFS, the number of times the victim system has launched a Pushdo variant, and the Windows OS version that executed the malware.

Stewart was baffled by the need to track the hard drive serial number but suggests this is being done to provide a unique ID for the infected system and to figure out if a VM (virtual machine) is being used to analyze the malware. This is significant, Stewart said, because anti-virus providers use VM to pick apart malware files in controlled environments.

"They already have VM detection in malware files but, now that it's in the downloader, the malware author can do the detection upfront and completely avoid anti-virus detection," he said. "This could be a way for the malware author to spy on anti-virus companies using automated tools to monitor the malware download points," he explained in a detailed technical analysis of the Pushdo controller.

Click here to read more about how the latest Trojans are using RSS feeds to communicate.

Stewart also found what he calls an "anti-anti-malware function" in Pushdo. The Trojan downloader looks at the names of all running processes and compares them to a pre-loaded list of anti-virus and personal firewall process names. "My hunch is they're just tracking which firewalls are easier targets, figuring out which ones they need to do more work on," he added.

Unlike other virus samples that attempt to kill anti-virus software processes, Pushdo merely reports back to the controller which ones are running, "a type of reconnaissance" that helps to determine which anti-virus engines or firewalls are preventing the malware from running or phoning home. "This way the Pushdo author doesn't have to maintain a test environment for each anti-virus or firewall product," he added.

The last time Stewart peeked at the controller, he found more than malware samples—all with rootkit characteristics that help maintain a stealthy presence of the infected computer. He also found evidence of a spam botnet that can be used to deliver massive amounts of unwanted e-mail advertisements, or to launch debilitating distributed DoS (denial-of-service) attacks on businesses.

"We're dealing with an entire malware ecosystem," Stewart declared. "It's really interesting how the [malware] business is now compartmentalized. Distribution of downloaders is handled by one set of guys, who get paid for that. Then, there are the botnet guys who rent out their services. Then, we have the spam guys using those botnets to blast out e-mails."

Stewart also stumbled upon another interesting fact—multiple malware families being distributed using the Pushdo system. This, he reckons, is a sign that the author is also willing to take payments from other malware authors in return for use of his distribution channel.

"[These] arrangements are becoming more and more common, as participants in the malware economy seek out niches in which to provide services in the underground marketplace," he said.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraine's Security Watch blog.



  Reader Comments: Inside a Modern Malware Distribution System
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}ks8q8c"#dK-ě[HH"$e[wro7%?2sTlFwh4~ 'I"f\8ܢdC3齿O$mL9PKϠ^#WZj:@a5˜؍Nz&q@^sFwD%x_@jO D.Rs2 j99&ԗ7'x2 X 8z@'Ajwm(CJp$Z=$? w,8"a}c$aL4 H؎MEn] ؾtisqHf*j'l,R"ۆ@ظ?0}$ꎧc"S9P5#o8sto6 dݺ=Rr bTJ#x>oچs[=0q*sܼ_煊B=ʑGA GfmGh[Nv^ԢZ\}G9G$HcA~Nw& LT-JR,͒L0hէ6 :Ygn_ yd[nEKHOr ])21,R#w;ǃln\:W~ :'g)wfٚY JdTY3LUi{i;'>g:Qڟm3Hklxmķx0|kh2`;;RVKJ=2OULxy$Y)r{&8\Cf&j ͒eB_;D\KG)H7#ǚ MтmdƩ$|S;GkoXRy۬) rƒ 4Ks;nZK0[#RFp\ Дa#Xذ 1"%̛ިҁ6)`I˪ TY&嗋mQq>].Q#w{̈_"ʥgc^IclFsY -j\Bt9Q] +\M޲G=-px=ivZOם6_.=t[:0*>c]g%",QqsuTStTzl:} 5KX+WL F̶-a[e)u5}x?fC 6aͨ6s|ix>:ACڴb{\gfS4!Ehqpy4ڭ-%_ >< FNj$ >6(Zt 0Iscм`yna23f#] I#ˋ0P 2/?Ch9N@tmS(}9\P lmN3-mdZ`1 5:%6tN\KQ m{bA2 EEKy3@ $h5az/mb$w$]KI+\fD8nOu$;gڹLX.QY,p[/ ͙JRdYu Q="`&Qea*0pRx5Qn-`oJ#UWj& MX,ՙxnZi &𝀴50OiH\U}ɲMg0sO<sy h? OuG VV̚s=R.ƃ5‚L;ilS@sfڰ`DWjm>!4ÃiА4XԹǦ Yu-yA\#ouKf{aMq"Wn6Pz4fs)wdm˴oC7UBgsNPB/W2 \_&AB5 6d:ɤPl';oW f4ݤ|r:#wTBWR518 FLqG)'SgFFJ V zh'ѫ>Ug HlTo-V,~ыpz1(+úZJx Hod m_eƠemLGy+-m" IPצ(5ò =2P" Cx Ez҆CTCF 9m _*P?ZY-xK[ʸASAݐ`AELl5KW)թw@4="/H{Lmπ|P9gs?棄YTpܩ4hS*ma3)T$0Sӹbp=z˸>q,?XĞ-\FCZ\Sa.I-ip.jd>t'L[!BdD+ه0`M EDN{6R^)#0iTWʅĤ_$I?րH{A2,exY΁5mIr 'jY$ Ei.20y$pS7Ϗ9(gdW%d)>'HZ+k՘P+Rj~~1edԌR8tc}ywA~M2/~)ԇL}6݁ /r-,|rqZEL[O`cQ av5 1;?Ur9IdpI6SJ07G+GS%'=ibGHom]r@ XQV0qs;OM*?RLg%:!pwCTEeԻ5ubH:G:0ݛ,()yഩ^.iYOS)%V$tu| `_ nM==WK$*Xj} ZQa߯ybo^ څHBGdD#`Pv*7'wTk6h)7YS!RW dĞee[3edjC鳨?/$*RQv+ր ki+TTV ?3pa-X,Ԕʑ3H)k(G܉?^nȵ: fI8@|)@U%UHU,UU\Hz,`we]T1n?cVPVW`Zd&s\%\{si0o)Q󩋗J3["X.DД7Ϩ3Rb  kQh-Bwyr`0W4$NcVqDMc?րh)k03?0RiʊZ+ujMRԞE'sL؞EA(zߏCWuRԣ{{C4}3݀,L)q31ȔɹT)j b[-W+c"a@qC` HR{PD( ,E~W9ـo9 |R)T*GrF2R@BRF$d1~m48nTMF" z׏5CuWΰ;n()/v3 U/Vs>V\z$* ON3dn,*~)ޚ( Bf/3ۿ|CCjΎx,P( 5 kNG֗vZgp=" BB R`2"(BShDOg49]8S%jw EW%'k'{-$:}mN1ўW` e܃ɢ.׌Vrh'I ׉ NAn|9p_<#慰sz en1~8JP -M>wSo4 jGYkNEm1O[bt1B R"05-F]ծkĖ39Z)N yuxȠ#%tBUݰ#q= vϓ{~\[ܵ𣉣S99Xa8: ˳0q1~<,?4fieo@Z5i]~&_ |3$?[С;#|$~>xFM{uS棏G ڝ9k3rİEl1hKx?OKoؽҶ28 0^l"4P$yEQjʶFV $]Bn/:Ld ,Fsd3tT?#ze16R3-4|GPY>]f+wP;_zÞ6YiYu/K\ -"Pn'Z^|>W%0.5[4 2UCnMk#Ǭ§u,'iƿB•Wc+YT=9bqlh`jox?F'sgfdQ%3R˿DI#/zbO/^`JIx>|4|Xk7Uzt*gq)zd3i7MS I3m>iSx${ 0_zJ]Cd(΀[,SfMbg 0uT8UIV&^)?LPÏ ,̨3^8c&5 y(w!NM^>8VH!9p=zgQvX?w:iU_p)̬ 5%GZƛ2Od,IlvA%"R17biܒKQ grEj"Y6$cDHnL#o HP"Xa7ab)v~7m>^0d a64; RRtI>&A "BwH B_^8*`7wU%ETe[63@u٥&R˸3aݺd"T5|uTf((@I3Uم] @-y Ox jXJe?zOV+ 됿gggg{R.gc}^Zܞ3GD 0tLo5% Ֆ^wHJ0GD&sB ybSv *noa-jL(A琥d~NɿTe=sϘ8rAw%sF)%NxUXIC%!T b 'D0 L1_^Hњti>-"_J6/ɰ ;\:^ !6`/}EؚSPpx??fg[x [#M$JE:yn ߧ8m2MB@ M=#A:`~n]&Al,ʩAh8Y,Dh-Dr4TZTEGcW,1<,:L1a3s! !룻!|{<}ߣno5_`KJYppyi9v,:,LՎ1p mp1tm HCK93H#N[g7w}}5` F ӱR-CBKD]m9fF ŷYe>'&ܦ6q>%Õ iw4鎕a+›W^&^Fbh皏Vy}w# ,pGO_RjSo 1Fs8/Eeō^0gIx:u8F'uICsuoϱZVjkɑ;vIKկzf` YrշDR| ǿ Gon|_d,n{qT2a y/Lyl46T2]^iIɽ=/G P|F0-c sF(wW#~\UQ7f={tѕioJY*1VC|_~߉|mg:@c ~P2ofph6_fHlH$8&wQqD3`{ $Xy"I,+ɻ0cЃ%>?w}̆g;4ɏ?|Eѫx/^x ^[,_UkYrw2О$/Mw qL[\bVd=-T?^<=G!nݼ@ aLgG _Gx~{涬c18{7~Z;(X67g+h!sOk'`Έ[?1aN2`) 0.xGD)LG4;AS\0['m|?z#oŮ?'G&S,,1. ׏{ѵ.'s^~ j~dؕŠ=B 0~CX^qS3&e6Fce\[SS]Zï[Ԓ#rd! `BXDŇ!ނ KIbe3)4kaİ>F F(dѴ{B.݀cbB]Y/%Dj/VN+r+ȈZ~j\!1cTA9-Qj5%ݳRUBI?ˏ|^c洹a:k6j=!ɣ`50gcZkX;Xifkyb+n'-{sv"ܬTI Gf߮N<է<mQNab,k7w"nhD@#x#ZlSKMµAʥ 8Iuף:̹OKMĀohm9RRԎy-0f#@8RS UVR,LMf 0TFUri/ X3P="^Glۏ\VKZ%Y 2x Hч%s&r"dH>HP.$zz/[cx@O eˡW}jkF2K+Qĸ/ sȼx.e%&o[I{u>dg-'90ڱ[w qwm[.{=yJMh>#Ծ3=F+{^m9S==aXYrVfЗh ͬ{[VjBƹ.04%n'S肜ifMPm-ЁH.M ?^J }+W7QiA9Uq&[q{Zj,A ,?`obD+ )o3Acq4x*L(T̙xa1aV eզٝ$7yg^ٿ[!ʃZ+=Jl~'#dM,Û|U:j|%w;҅fZ,Eh6 7}d߄^P> :{ћbR=P[=8 Pm¼ϴHb )}o [#b2zޘ9# YZ aIm{7R[ $y ?ZEDV% Is|D~hue :} d!/9k,Cߑ7MeV10~L ' ]TW\Afx=F x7t'le>u`A^& mS-l \Zs4pBzs_ƈ^fÈGs{VCRED~Ƥ"c*41GJ[#}ɹgMN;vBE< ,i ma@.93ۈX 9S":>kn ~Z;m'FKmDs{%%HA W|8snj=J< rk~}W ƨb)(J "PV: ![C P?1js# h_fF Lma`t.tܣq?]_'Aff9p͒w\j:rtԨ b8+M4?3,ȏ%%nNK aR$P!%h$bcx=9`1A2_7=}c|?ݩ2{xCbwT IhR tX(9CȮ KƊRN/|m'Чx4,4+e]K&JZ!`xFNRsdhhz?;v@| LBz،\S;.0C 9]9tHq{5.qwg5_QvBrһrڽ\]w/L·_smmR0mw 5e9ši'\ «Q_gqxixID_04e7.DAwpD(/pYQJNa21Sj;M֖C|yƫx]j12;ZTmx9j0C#W܄qP ";睓]vrФo%u[cFPkF5_o.?i2{P(GNl.o ڝ(?\~ 9͠C>Ag\󬻹5rg7\c? \~3l׼ EF/E|E}/>_d"?/?/2e2sFe Q~0{ s!?0~{@2OK/C\\e5u7cs'O?gC>g3sn&&oon2/9IR< 9k]K8kgK"*SV9,.O3P*(Xi7{ZeU+\^}{'sg+I\WKI0ntEճKL3cn5:vņ^_ |SG0nsOkr>usrxvY^][;\;Yo)P/#IcgeACACfi qe_ޢD)Fyk@Lg<}Zqz`~uw= !Y>Y"h(x4|s&pN!3J8?0 fZ g8!r]ӧ h~3d]Oo4pGn`'~ܛK؇1-cH$GR% J\~ܓJ&"C*BUN-U+zT,.g /(@#غ̷|R'C3<8iRq x+ҷM!|#́ .Lekzy;+28*,edٴܐ$Te?~ j}l.q sEeאe,&J B8̈́N`'2cӄ2^8ZXVX#e ^1PSFӽ"}ǚ 71a`a?>N@Umk# 1,)}Ơ#)e h~zA߭Ud#ə B| YV8[V"6bZm% 1oY%&/sjw[i>:f;BI<5_x|XT ,sD?>;;31U)֒_./gwǁ;MzKo;j[@(&]aьU%$tnP/K;"=oPm b;<% *`>.X2";>6`>LA>X읚6,_vD4fR*4$NS xEzV?ĵ 3 |w;q^'t#>Ƌrd{Gora$+nvDg>6كl2Y}>7Q$Ly iax3LJ B ϱɮx6بogn`Dl .3 -ˬ1sV¥"UX LMX,8. 4⿶; QK/9Buz Ϸ;<v7s#k_2ҳe>vį-ǬvJ^S O3й?-{/e;;],{QIbV]s::h݆G0^qYSVl@sxSa {:p3z7 vQmQ#N?40(g|W|gy#g®"vyX@cbS,LڙBα ya1 +o3Љf{0^OpN&}k\ȏ,,d[녗Z']YQhXj=E"ҁ )Q~9'vX3e3}"@a)5ZBLN Po3pRaL $b[и\{&L+6cڅGSy6:|,%݈bVS"N$؊rI-9=O9N*D!la, 9r3 ;Ev F.t1R04xqϢaʩȩ(|_|JѬd;j +sʧ=I~q ^`\YJlygn9B(O{u=rC*gUN'Ў7_;a}B}FBl4*7y:?#Koyqާ˶VP- QwA0,}U^~HVz Cosg