Slashdot Mirror
Inside a Modern Malware Distribution System
Scrabblous sends in this analysis of the Pushdo Trojan downloader's backend code and control server. Pushdo is a complex Trojan downloader that meticulously tracks its victims; much of its innovation is not in the Trojan itself but in its control infrastructure. Quoting: "The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the [421 different] malware loads from infecting users located in a particular country, or provides the ability to target a specific country or countries with a specific payload. Pushdo keeps track of the IP address of the victim, whether or not that person is an administrator on the computer, their primary hard drive serial number..., whether the filesystem is NTFS, how many times the victim system has executed a Pushdo variant, and the Windows OS version."
Actually, there are vastly more Linux systems out there than Windows systems. Each year about 300 million Linux devices are produced - most cell phones and routers. These devices have a life span of 5 years or more, meaning that there should be about 2 billion Linux devices out there. In contrast, there are only about 600 million Windows devices. Also, note that there are more Linux servers on the internet, than Windows servers. The simple fact that these Linux devices and servers are mostly secure, while the Windows machines are mostly insecure, therefore has nothing to do with numbers.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Just replace the destination URL with the one you get after following 301 redirects. That shouldn't break anything (301s are meant to be cached, and legitimate URL compression services should be using 301s anyway.)
Yes, and by the time you finished any sizable app, one that was "good enough" would already have been released, and gobbled up marketshare. The problem with chasing perfection is that it takes forever, and even if you find it, most people don't need it.
I see your informative link, and raise you a pithy comment.
I'd say Linux and OS X at that point, because both are Unix. Much easier to port things between Linux and OS X than it is to port things between either and Windows.
The relative security of the OS has nothing to do with the intricacy of the virus. If you could write ANY kind of malware for Linux, you could easily write one this intricate.
And so, the question you're asking is exactly the same one that's been asked time and time again, and has absolutely nothing to do with this story. It's a question of whether malware could target Linux and OS X. I can't really say, but I think it would be somewhat harder -- and I figure Linux has a much better shot, unless you mean 33.3% Ubuntu, simply because of distro diversity.
Don't thank God, thank a doctor!
The fact that they cannot easily execute themselves stops a lot.
A executable in a email attachment or web download cannot be executed by a idiot. It needs to be chmodded.
Also the root password box appears significantly less than the Windows equivelants.
Your average user will never have to enter it in.
Helps reduce false negatives but it can still occur.
This enables the Pushdo author to limit distribution of any one of the [421 different] malware loads from infecting users located in a particular country, or provides the ability to target a specific country or countries with a specific payload.
I can't help but think a lot of malware creators will get rich in the 21st century when governments pay them to attack countries they are at war with - either destroying their computer infrastructure, or acting as spies.
``If only Microsoft would spend that much effort on windows update...''
They do, but they spend their efforts on making sure it doesn't work for pirates, rather than on making sure it works better for customers.
Please correct me if I got my facts wrong.
Because then people like you end up blasting legit people off the internet by mistake and ignore the problem as collateral damage?
I don't see why a botnet client would even need to run as root. So long as the user in question can run 'at' or cron, it can still install itself. I'll grant, a rootkit could conceal itself better with root access, but I doubt very many people would notice an extra process running anyways. (I think I'd call my trojan "bash").
>> Okay, that first part "Download some malware". How?
Read up on how Storm-Worm got started. It sent an email asking people to go to a site and download something. Guess what, they did what they were told to do.
Now it may have only have been 1 out of a 1000 people who actually did it, but that number is high enough to get a good start. And then all that those individual computers needed to be able to do was connect to a website and send email. Something pretty much any computer on the internet can do (even Linux boxes running as a user can connect to a website and send email).
All you need is enough targets to make that 1 out of 1000 (or 1 out of 1000000) to make it work. You don't need some magical hole in the OS, or root privileges, or anything special. You just need enough dumb users that will do what you ask them to do.
Or just disallow links to tinyurl or dwarfurl entirely. I think the detriment would be far outweighed by the benefit.
First post = troll. Cleverly worded post designed to enrage others = flamebait.
Funny thing..ActiveX enabled leaves you vulnerable. Yet you can't use the windows update site without activeX enabled..And every time I get an update for InternetExploder I have to re disable activeX. What is needed is to enable active X on a site by site basis, with it default off.
I can do the same thing with javascript content with seamonkey/firefox and the noscript plugin. (http://noscript.net/)
Your post seems predicated upon the assumption that the means of compromise is a trojan. Right now, that is not the common case, especially for bots.
Well, I can't say that I have any hard facts to back up my opinion, but I've always assumed the exact opposite. I don't see *anything* in my router/firewall logs. Either the attacks aren't happening, or they're stopped by my ISP; either way, they're not compromising any PCs (and I'd expect the ISP to advertise the extra protection if they were doing it)
In contrast, I receive viruses attached to spam mails *every single day*. I use p2p and occasionally download a file that my av software software flags up as being a virus or trojan. Hell, I even get viruses mailed to me in password-protected zip files; people must be opening up these unexpected files, typing in the password and infecting themselves.
even if that is the case, that's still less than half of the exploits happening
Assuming that's true, then you'll wipe out roughly half the exploits by switching to Linux. So malware authors will adapt; worms will die out and social-engineering attacks and trojans will increase. You'll buy a temporary respite as the authors react and amp up production of new attacks. Big deal. User education is key, but we've known that for a decade and the situation doesn't seem to be improving.
It's official. Most of you are morons.