Inside a Modern Malware Distribution System

Scrabblous sends in this analysis of the Pushdo Trojan downloader's backend code and control server. Pushdo is a complex Trojan downloader that meticulously tracks its victims; much of its innovation is not in the Trojan itself but in its control infrastructure. Quoting: "The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the [421 different] malware loads from infecting users located in a particular country, or provides the ability to target a specific country or countries with a specific payload. Pushdo keeps track of the IP address of the victim, whether or not that person is an administrator on the computer, their primary hard drive serial number..., whether the filesystem is NTFS, how many times the victim system has executed a Pushdo variant, and the Windows OS version."

I'm not seeing the "easy" part there.

[khasim]

Download some malware, pop-up a fake window when the user does something to get the password, sudo with the password, install whatever else you want and setup init scripts, done!

Okay, that first part "Download some malware". How?

With Windows it is easy to explain. ActiveX.

With Linux/Apple, it's not so easy.

With old versions of Windows/Outlook, you could just mass mail the exploit and hope that enough people hadn't patched Outlook NOT to auto-run some executables.

Or that they hadn't configured their security zones correctly.

Microsoft is getting better. But they're still focused on adding layers of "security" instead of taking the simple option and just not installing so many services that the user will probably never use. So if there's any flaw in the various layers, you can still be cracked.

Re:Question about platform security

[IamTheRealMike]

how difficult would it be to develop a similarly intricate for linux or OS-X if a malware author decided to target those platforms?

Here's how you could make a somewhat modern piece of malware for Linux. I'll leave out the stuff that's the same between operating systems ... the control networks, etc, and just look at controlling/hiding in the system.

1. First question - how to get in? All the usual techniques will work. Browser exploits are still common, even after years of hardening the IE and Firefox codebases. Plugin exploits (quicktime, acrobat, etc) even more so. Emailing out virus mails that appear to come from friends is still a very effective technique - we spent years training people to not trust emails from random people, only to have that advice subverted by having the emails come from friends. There are no restrictions on sending mail on Linux, nor reading from the users address book assuming they use client-side mail. If they use webmail the same techniques will work as on Windows.

   Some people might say, but Mike, it's hard to make a binary that works on all forms of Linux! In reality, it's not that hard. The basic loading/linking code and core libraries are the same across distributions. It's hard once you try to build real, interesting apps that provide GUIs and so on, but if you're willing to put in some testing (and modern malware is a professional operation, so why not) you can make the same binary work just fine on dozens of distros.

   Other people might say that it's complicated to run binaries on Linux, because you have to set the +x bit. I'll ignore the fact that I think Linux isn't ever going to get 33% market share with the current way of distributing software ... suffice it to say, that once you convince a user that you're legitimate and that they want your eCard (that's how this malware spreads), you can just give them a command to copy/paste into the "Run Program" dialog box.

2. Once you're in, you want to do a few things. You want to download the rest of the trojan ... no problem with that ... maybe start sending mail ... again no problem ... what else? Maybe you want to drain the users bank account. The easiest way to do that is to install a browser extension that waits for the user to log in, and then scripts the web app. This has already been done on Windows/IE and isn't technically difficult - although it does require testing on the banks you want to target.

   What else? Stealing cookies is popular. Yep, we can do that. Maybe popping up "unkillable ads". Yes, X will let you do this.

3. Next, you want to hide, to make yourself hard to get rid of. This is the part where people tend to assume Linux is more robust than Windows. Is it really? Well, firstly, you can do a decent job of hiding without root. To start with, try injecting yourself into a system process ... or start several copies of the same program, all of which watch each other and restart new copies if others are killed or paused. It exploits the fact that you can't send signals to groups of processes atomically. Adjust the users path in their startup scripts to let you override any binary you wish, and then use a user-mode rootkit technique to hide the fact that the file was modified. Or set yourself to startup in the KDE/GNOME config systems somehow (eg, as an invisible panel app).

   What if you want to store stuff on disk, and hide those files? Doing it with a kernel rootkit is easy enough, but what about without having access to kernel space? One way to do it is ptrace every process that might be used to explore the filesystem - like shells. You can intercept the syscalls of these programs before they reach the kernel in that way, and thus make files "disappear" from the command line, from Nautilus/Konqueror, or whatever other programs you want to do. If you're worried about the ptrace

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Command and Control Server

[KillerBob]

IRC... have a master channel, and configure the virus so it's able to connect to a slave channel and receive commands, or connect to the master channel and relay commands to its slave channel. Program the bot/virus so that it connects to a non-persistent "slave" channel. If it's automatically given moderator status, then it's the first bot in the channel, so it connects to the master channel and functions as a command/control herder. If it doesn't automatically get mod rights, then it functions as a slave and actually does the dirty work.

And by using a wide open IRC server, of which there's plenty, it's virtually impossible to shut down the network. All the main controller has to do is connect to his "master" control channel periodically to send out commands, and the rest of the herding gets done by his deputies.

Re:industrial strength stuff

[jacquesm]

afaik it does work fine for pirates but not for consumers that have paid for the product. A friend of mine made the linux switch solely because of being pissed off once to many while being told to re-register his machine after windows update literally crashed the box beyond recovery and they wouldn't activate him. He said, ok, fine don't activate me I'll get another OS. It's well past the point of being a nuisance, it's a real risk (having your machine taken down by an automatic update is *not* funny at all) and then to be insulted like that is really not the best way to deal with an already pissed off customer.