Slashdot Mirror

← Back to Stories (view on slashdot.org)

Inside a Modern Malware Distribution System

Posted by kdawson on from the enemy-are-as-thick-as-peas-out-there dept.

Scrabblous sends in this analysis of the Pushdo Trojan downloader's backend code and control server. Pushdo is a complex Trojan downloader that meticulously tracks its victims; much of its innovation is not in the Trojan itself but in its control infrastructure. Quoting: "The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the [421 different] malware loads from infecting users located in a particular country, or provides the ability to target a specific country or countries with a specific payload. Pushdo keeps track of the IP address of the victim, whether or not that person is an administrator on the computer, their primary hard drive serial number..., whether the filesystem is NTFS, how many times the victim system has executed a Pushdo variant, and the Windows OS version."

3 of 135 comments (clear)

  1. Re:the fix by Anonymous Coward · · Score: 0, Troll

    someone please mod this shit into oblivion...

  2. Scary... by gmuslera · · Score: 0, Troll

    thats the 1st that comes to my mind when i see how sophisticated and commercial had become the bad guys. There have been a lot of stories regarding this kind of subject in the last months/years, and internet is becoming more and more like a minefield.

    I know that this one is pretty dependant on Windows (not only is the easy target, because users, numbers and the "security" of the system/browser present there), but i bet that some in that development can be translated to unix/mac systems (as is the user the one that mainly installs it, think in i.e. when was corrupted the SquirrelMail repository, if someone send spams away to make people to download it before it gets catched, and that installs in fact a trojan with that functionality).

  3. Re:Question about platform security by infonography · · Score: 1, Troll

    point 1. FUD, Microsoft's argument is a compete load of horsesht. The reason it's most effected is because low level identification of processes is obscured. Even if it's just simple rot13 encoding in registry to mask info about installed programs. In the *NIX world its almost impossible to hide a running process.

    point 2, Windows User basis = BOZOS also untrue. a lot can be done in the windoze world. its is just done with broken legs has the price of entry.

    Malware will go away when windows goes open source and not just the source that the scriptkiddies are using. pretty much every other OS manufacture has open sourced their code. Apple is tied to their hardware much like SGI did, they just do a better job then SGI did.

    --
    Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23