Inside a Modern Malware Distribution System

Scrabblous sends in this analysis of the Pushdo Trojan downloader's backend code and control server. Pushdo is a complex Trojan downloader that meticulously tracks its victims; much of its innovation is not in the Trojan itself but in its control infrastructure. Quoting: "The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the [421 different] malware loads from infecting users located in a particular country, or provides the ability to target a specific country or countries with a specific payload. Pushdo keeps track of the IP address of the victim, whether or not that person is an administrator on the computer, their primary hard drive serial number..., whether the filesystem is NTFS, how many times the victim system has executed a Pushdo variant, and the Windows OS version."

I'm not seeing the "easy" part there.

[khasim]

Download some malware, pop-up a fake window when the user does something to get the password, sudo with the password, install whatever else you want and setup init scripts, done!

Okay, that first part "Download some malware". How?

With Windows it is easy to explain. ActiveX.

With Linux/Apple, it's not so easy.

With old versions of Windows/Outlook, you could just mass mail the exploit and hope that enough people hadn't patched Outlook NOT to auto-run some executables.

Or that they hadn't configured their security zones correctly.

Microsoft is getting better. But they're still focused on adding layers of "security" instead of taking the simple option and just not installing so many services that the user will probably never use. So if there's any flaw in the various layers, you can still be cracked.