Slashdot Mirror

← Back to Stories (view on slashdot.org)

Inside a Modern Malware Distribution System

Posted by kdawson on from the enemy-are-as-thick-as-peas-out-there dept.

Scrabblous sends in this analysis of the Pushdo Trojan downloader's backend code and control server. Pushdo is a complex Trojan downloader that meticulously tracks its victims; much of its innovation is not in the Trojan itself but in its control infrastructure. Quoting: "The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the [421 different] malware loads from infecting users located in a particular country, or provides the ability to target a specific country or countries with a specific payload. Pushdo keeps track of the IP address of the victim, whether or not that person is an administrator on the computer, their primary hard drive serial number..., whether the filesystem is NTFS, how many times the victim system has executed a Pushdo variant, and the Windows OS version."

4 of 135 comments (clear)

  1. Re:Question about platform security by flyingfsck · · Score: 3, Insightful

    Actually, there are vastly more Linux systems out there than Windows systems. Each year about 300 million Linux devices are produced - most cell phones and routers. These devices have a life span of 5 years or more, meaning that there should be about 2 billion Linux devices out there. In contrast, there are only about 600 million Windows devices. Also, note that there are more Linux servers on the internet, than Windows servers. The simple fact that these Linux devices and servers are mostly secure, while the Windows machines are mostly insecure, therefore has nothing to do with numbers.

    --
    Excuse me, but please get off my Pennisetum Clandestinum, eh!
  2. Re:the fix by QuoteMstr · · Score: 5, Insightful

    Just replace the destination URL with the one you get after following 301 redirects. That shouldn't break anything (301s are meant to be cached, and legitimate URL compression services should be using 301s anyway.)

  3. Re:industrial strength stuff by RAMMS+EIN · · Score: 4, Insightful

    ``If only Microsoft would spend that much effort on windows update...''

    They do, but they spend their efforts on making sure it doesn't work for pirates, rather than on making sure it works better for customers.

    --
    Please correct me if I got my facts wrong.
  4. Re:Counter attack is required by SoupIsGoodFood_42 · · Score: 3, Insightful

    Because then people like you end up blasting legit people off the internet by mistake and ignore the problem as collateral damage?