Inside a modern
malware system
By Ryan Naraine and personal firewall proc- Secureworks anti- Pushdo Trojan analysis provides glimpse ess names. malware guru Joe of techniques used by online criminals “My hunch is they’re Stewart is not one to just tracking which fire-
be intimidated by advances into the back-end control- fled by the need to track the walls are easier targets,
in online criminal activity. ler to see the level of track- hard drive serial number figuring out which ones
But when he reversed ing it’s doing,” Stewart but thought this is being they need to do more work
the back-end code associ- said in an interview with done to provide a unique on,” he said.
ated with the Pushdo Tro- e Week. “This one does a identity for the infected Unlike other virus sam-
jan downloader, Stewart lot of high-level reconnais- system and to figure out if ples that try to kill anti-
discovered a modern mal- sance, making sure it hits a virtual machine is being virus software processes,
ware distribution system the right targets.” used to analyze the mal- Pushdo merely reports
fitted with complex track- For starters, the Pushdo ware. This is significant, back to the controller
ing mechanisms and hid- controller also uses the hesaid, because anti-virus which ones are running,
ing techniques—another GeoIP geolocation data- providers use VMs to pick which helps to determine
clear sign that virus fight- base in conjunction with apart malware files in con- which anti-virus engines
ers are up against a clever whitelists and blacklists trolled environments. or firewalls are preventing
and sophisticated enemy. of country codes to allow Stewart also found what the malware from running
Stewart, aveteranreverse the malware distributor to hecallsan“anti-anti-malware or phoning home. “This
engineer who spends most prevent one of the malware function” in Pushdo. The Tro- way the Pushdo author
of his time breaking apart loads from infecting users jan downloader looks at the doesn’t have to maintain a
malware samples, said the located in a particular coun- names of all running proc- test environment for each
control server that pow- try. This also provides a way esses and compares them to anti-virus or firewall prod-
ers Pushdo is preloaded to target a specific country a preloaded list of anti-virus uct,” Stewart said. ´
with about 421 malware or countries with a specific
executables, all waiting to payload, Stewart said.
be delivered to infected Every victim is tracked
Windows machines. meticulously. Stewart
The malware itself uses found that Pushdo logs the
electronic-greeting-card IP address of the infected
lures spammed to e-mail machine, whether or not in-boxes to trick Windows there was an administrator Pushdo Trojan
users into launching the account on the machine. The relatively new system designed to spread malware through
executable. Pushdo also goes a step infected machines has a number of key features, including:
Once the Trojan is further, logging the vic- Circulation through fake electronic greeting cards sent via
executed, Pushdo imme- tim’s primary hard drive e-mail
diately reports back to an serial number and tracking Greater sophistication compared with other “downloader”
IP address embedded in whether the file system is Trojans
the code and connects to a NTFS (NT File System), the When executed, the Trojan reports back to one of several IP
server that pretends to be number of times the vic- addresses embedded in the code, pretending to be an Apache
an Apache Web server and tim system has launched Web server and listening on TCP Port 80
listens on TCP Port 80. a Pushdo variant and the A control server preloaded with about 421 malware
“We’ve seen examples Windows operating sys- executables to be delivered to infected Windows systems
of sophisticated Trojan tem version that executed Meticulous tracking of every victim, including logging the IP
downloaders, but this is the malware. address of the infected machine
Source: e WEEK reporting
