Slashdot Mirror

← Back to Stories (view on slashdot.org)

Inside a Modern Malware Distribution System

Posted by kdawson on from the enemy-are-as-thick-as-peas-out-there dept.

Scrabblous sends in this analysis of the Pushdo Trojan downloader's backend code and control server. Pushdo is a complex Trojan downloader that meticulously tracks its victims; much of its innovation is not in the Trojan itself but in its control infrastructure. Quoting: "The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the [421 different] malware loads from infecting users located in a particular country, or provides the ability to target a specific country or countries with a specific payload. Pushdo keeps track of the IP address of the victim, whether or not that person is an administrator on the computer, their primary hard drive serial number..., whether the filesystem is NTFS, how many times the victim system has executed a Pushdo variant, and the Windows OS version."

9 of 135 comments (clear)

  1. Question about platform security by Iphtashu+Fitz · · Score: 4, Interesting

    Call me a troll if you will but I have a serious question here.

    Microsoft constantly claims that the main reason there are so many trojans & botnets like this is because Windows systems make up the vast majority of computer systems out there, not because Windows is any less secure than linux, OS-X, etc.

    Assume a completely even playing field where each of the three main consumer OS's, Windows, linux, and OS-X each has 33.3% of the market. Which environment would a trojan/botnet writer target and why? Put another way, how difficult would it be to develop a similarly intricate for linux or OS-X if a malware author decided to target those platforms?

    1. Re:Question about platform security by m50d · · Score: 2, Interesting
      Assume a completely even playing field where each of the three main consumer OS's, Windows, linux, and OS-X each has 33.3% of the market. Which environment would a trojan/botnet writer target and why?

      Even if marketshare was the same, there are still other variables to consider: how useful is the OS, and what is the userbase like? My instinct would be to go for linux - it's (marginally, and in my experience) more stable, systems are more likely to be left running 24/7, and systems programming for it is easier - you don't have to e.g. jump through hoops to get raw sockets, and the open source might make things better - I don't know how good the documentation of windows/osx interals is. As against that there is the distribution fragmentation and the somewhat higher technical competence of average users.

      Ultimately there's not much to choose between them - all three OSes have their vulnerabilities, all three can be programmed by anyone competent, and this kind of malware could easily be written for all three. In fact, it probably already has been.

      --
      I am trolling
    2. Re:Question about platform security by IamTheRealMike · · Score: 4, Interesting

      That reasoning is invalid. There are tens of millions of XBoxes in the world, all of which run a customized version of Windows, yet I'm not aware of any viruses for the XBox. I guess Windows must be entirely secure!

      Or maybe desktop security and arbitrary-consumer-electronic-device security are different problems with different solutions.

      The other poster is correct. There is no difference in Windows vs Linux desktop security. It's beyond trivial to phish or intercept the users root password, if you want it, which you might not bother with because there are plenty of other ways to hide in a modern operating system (google "user mode rootkit").

    3. Re:Question about platform security by 99BottlesOfBeerInMyF · · Score: 5, Interesting

      Assume a completely even playing field where each of the three main consumer OS's, Windows, linux, and OS-X each has 33.3% of the market. Which environment would a trojan/botnet writer target and why? Put another way, how difficult would it be to develop a similarly intricate for linux or OS-X if a malware author decided to target those platforms?

      This is an interesting question, but it lacks some details that may make a large difference. First, was it a single Linux distribution or a mixture of the ones currently available. Second, are we talking Windows Vista, or are we talking about the current mix of Windows versions deployed today?

      Potential reasons why it is easier to target Windows:

      • Malware authors are familiar with Windows and Windows development tools and often are not experienced in coding for other platforms.
      • Even with an even distribution of OS's, MS still dominates certain application segments on Windows, with MS Office, Outlook, and IE. Other platforms have more varied application sets by comparison, making it harder to make a virus work via an exploit for a particular application.
      • Windows in general runs with more network services listening by default than either OS X or Linux and each one is a potential hole.
      • Windows fails to operate using standard protocols, so assuming most networks in the future are mixed, for full functionality Windows servers often have to run two services for a given function, versus one when using Linux or OS X. (For example, a Windows box might be listening to the local network using UPnP SSDP to discover network services, as well as ZeroConf, which is implemented by various applications on Windows, whereas OS X and Linux use only the standard ZeroConf.)
      • Windows has a different user base from the other OS's and it is often a less security conscious one overall. That could change, however if market share does.

      On the other hand, Windows has a few advantages as well:

      • More anti-virus tools and services are available for Windows
      • Windows makes better use of sandboxes in some instances than the vast majority of Linux distros.

      The question is pretty academic though. Market share is not going to shift drastically overnight, nor distribute evenly. Market share has an enormous affect on the products themselves. Right now Linux and OS X have appropriate levels of security so that it is not a big issue for their users. If security threats increased for either platform, security improvements would also increase because the developers are motivated to not lose money.MS is currently a monopoly so the fact that Windows does not have sufficient security to deal with the malware ecosystem does not cost them much money at all, so they are nt motivated to fix it. If Windows had 30% of the market, they would no longer have a monopoly and they would fix their security problems or go out of business.

      Having a diverse computing market makes things hard for botnet operators, because it lessens the effect of any vulnerability and because it motivates better security through competition between the players in that market. The theoretical you propose would change things in many, many ways. In some ways, Linux and OS X would become bigger targets and have to adapt their security to deal with it, but we'll never know what would hold up as the "best" six months or two years afterwards.

  2. Comment removed by account_deleted · · Score: 1, Interesting

    Comment removed based on user account deletion

  3. Counter attack is required by Anonymous Coward · · Score: 1, Interesting

    I really do think it is time to fight fire with fire. If these things report to a server then make that IP public and then blast it off the internet.

    After all I am entitled to use reasonable force to protect my person. Why can't I use the electronic equivalent with these scum bags.

    Sure it is a moving target but the key to smashing spam is to push up the marginal cost to the spammer.

  4. Comment removed by account_deleted · · Score: 5, Interesting

    Comment removed based on user account deletion

  5. Re:I'm not seeing the "easy" part there. by WeirdJohn · · Score: 2, Interesting

    The trick is to (Step One) get the User to visit an Evil Website: "Naked Lesbian Twins with Machine Guns" should do it.

    (Step Two) Tell the User that a new "Video Codec" must be installed on their Ubuntu|Redhat|Suse System, which requires SuperUser privilege.

    (Step Three) popup a standard webbrowser password dialog, asking for the root password

    (Step Four) Start to download the "Codec Installer" that plays funny games with gcc, expect and python to sudo and install the malware when run.

    (Step Five) Tell user to run 'bash GirlsWithGunsCodecInstaller'

    Your logic error was in assuming that if GNU/Linux had 33% of the desktop then all those extra users were as clued as you. An easy mistake to make, I've done it myself many times. And it's amazing how peoples judgment fails when they have the chance to see naked lesbian twins with guns.

  6. Command and Control Server by phantomcircuit · · Score: 2, Interesting

    My question is simple, How can the command and control servers for botnets stay up?

    Wouldn't their hosting provider and/or IP block owner not want to end up on blacklists and thus kick them off, thus cutting off all infected systems from further contact.