Pushdo Trojan Infects 11,000 Systems In 24 Hours

← Back to Stories (view on slashdot.org)

Pushdo Trojan Infects 11,000 Systems In 24 Hours

Posted by Unknown on Thursday July 17, 2014 @02:50AM from the bots-everywhere dept.

An anonymous reader writes Bitdefender has discovered that a new variant of the Trojan component, Pushdo, has emerged. 77 machines have been infected in the UK via the botnet in the past 24 hours, with more than 11,000 infections reported worldwide in the same period. The countries most affected so far by the Pushdo variant are India, Vietnam and Turkey. Since Pushdo has resurfaced, the public and private keys used to protect the communication between the bots and the Command and Control Servers have been changed, but the communication protocol remains the same.

18 of 32 comments (clear)

Min score:

Reason:

Sort:

Missing information by Anonymous Coward · 2014-07-17 03:01 · Score: 3, Insightful

What operating system does this software run on?
1. Re:Missing information by just_another_sean · 2014-07-17 03:04 · Score: 3, Interesting
  
  This is what I was wondering... AFAICT the first link is /.'ed and the second link doesn't go in to any technical details. I'm assuming Windows until I hear otherwise but the geographic mix is interesting; are these Windows XP boxes? Is the fact that the infections are concentrated in India and Asia an indication of the many people there that have not upgraded?
  I'd never heard of Pushdo before this, anyone else know more about it?
  
  --
  Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
2. Re:Missing information by Anonymous Coward · 2014-07-17 03:10 · Score: 1
  
  These are systems which were previously infected with Pushdo, so yes, some of them are XP.
3. Re: Missing information by bill_mcgonigle · 2014-07-17 03:15 · Score: 1
  
  Google cache has the first link but it also does not mention platforms!
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
4. Re:Missing information by mspohr · 2014-07-17 04:12 · Score: 2
  
  We always assume Windows (to the point where most articles don't even mention it) and that is true again in this case.
  It is useful to know which versions of Windows:
  Systems affected:
  The Pushdo trojan malware affects the following systems:
  Windows 2003
  Windows XP
  Windows 2000
  Windows NT
  Windows 98
  Windows 95
  
  --
  I don't read your sig. Why are you reading mine?
5. Re:Missing information by jc42 · 2014-07-17 04:29 · Score: 1
  
  Well it runs on Windows obviously. With the number of reported infections, the speed with which it happened, and the fact that it is a Trojan (meaning you need to trick the user into running it), it can only be Windows. There wouldn't be 11,000 Linux users tricked into running it in 24 hours even if it would run correctly on all their distros because we know Linux users are too smart to run Trojans. Hell, there probably weren't 11,000 Linux machines with users sitting in front of them to BE tricked into running it in that amount of time. With Macs - well every Mac user will tell you they don't get Trojans or viruses. That leaves Windows. Lots of doofuses to be tricked there.
  While I can appreciate your sarcasm, I also followed the summary's first link to the report at labs.bitdefender.com, and thought it was interesting that in the "Related posts" in the column at the right, there's a Tags section, and the very first is "android" in a large font. There's no instance of "window" or "micro" or "soft" on the page. The obvious inference to a reader is "Hmmm ... Can this actually be a major infestation on android, i.e., linux?"
  But no, this list of "Related ... Tags" appears to be some sort of subtle redirection or FUD or something, because as others have already reported here, this is indeed yet another MS Windows trojan infestation. The report page lists keywords including "android", "bitcoin", "facebook", "etc, but doesn't mention MS or Windows as related.
  Anyone have any idea why the folks at bitdefender might do things this way?
  
  --
  Those who do study history are doomed to stand helplessly by while everyone else repeats it.
6. Re:Missing information by tlhIngan · 2014-07-17 05:32 · Score: 1
  
  Well it runs on Windows obviously. With the number of reported infections, the speed with which it happened, and the fact that it is a Trojan (meaning you need to trick the user into running it), it can only be Windows. There wouldn't be 11,000 Linux users tricked into running it in 24 hours even if it would run correctly on all their distros because we know Linux users are too smart to run Trojans. Hell, there probably weren't 11,000 Linux machines with users sitting in front of them to BE tricked into running it in that amount of time. With Macs - well every Mac user will tell you they don't get Trojans or viruses. That leaves Windows. Lots of doofuses to be tricked there.
  Well, it's easy to trick users into running questionable binaries. I mean, all you need to do is call it a crack or keygen for an app, rename it a few million times to cover the popular apps, movies and other content, and you're done.
  Hell, those "download helpers" that file lockers sometimes provide? Guess what!
  And most malware these days are Trojans. It's a lot easier to trick a user than to try to find a vulnerability in the OS. Even Windows is far harder to break into. Hell, good malware is userspace nowadays to avoid running into UAC dialogs.
7. Re:Missing information by operagost · 2014-07-17 06:42 · Score: 3, Insightful
  
  So basically, all EOL systems that have no business being connected to a network except for 2003, which also shouldn't be connected unless it has SP2 and all security patches.
  
  --
  
  Gamingmuseum.com: Give your 3D accelerator a rest.
8. Re:Missing information by grcumb · 2014-07-17 11:09 · Score: 3, Insightful
  
  Well it runs on Windows obviously. With the number of reported infections, the speed with which it happened, and the fact that it is a Trojan (meaning you need to trick the user into running it), it can only be Windows.
  
  This propagation rate is positively tiny. Honestly, I don't know why it's even part of the headline. For context, this paper (PDF, sorry) shows Code Red infecting over 500,000 machines in an hour.
  If 11,000 machines in a day is an event, then we should all be sitting back and breathing a sigh of relief that the bad old days are over....
  (Not that I believe that they are. I just don't see any reason for the breathless headline.)
  
  --
  Crumb's Corollary: Never bring a knife to a bun fight.
9. Re: Missing information by jc42 · 2014-07-18 03:40 · Score: 1
  
  Determining what is "related" is not an easy thing to do, programmatically speaking.
  It's especially difficult for the Media, since for most of them, "computer", "IBM machine", "Microsoft" and "Windows" are synonyms. A few have heard of things like unix and linux, and some even use a mac. But hose gadgets are never called "computers", so they're not relevant to any news story dealing with computers. In common speech, saying that some new virus infects "computers" is all that needs to be said, since there are no brand names in the computer industry, only IBM and Microsoft (and maybe Apple, if that's a brand name).
  I have seen a number of instances where some geeks will try to bring up non-IBM/Microsoft systems, and the media folks are clearly baffled by why people would try to change the subject, when the topic is clearly computers, not those other electronic thingies. I remember back in the early 1980s, when IBM first introduced their new DOS machines, and the reaction of lots of business and media people was "Finally there's a desktop computer." They didn't see any need to mention the brand name, because computers didn't have brand names. (The more knowledgeable did know that computers actually do have brand names, but since there was only one, it was a waste of time and page space to mention it.)
  
  --
  Those who do study history are doomed to stand helplessly by while everyone else repeats it.
11k...? by Ceriel+Nosforit · 2014-07-17 03:01 · Score: 1

I just don't understand how this is worth a headline on Slashdot. The targeted population centers alone are so vast and connected that 11k is a pittance. The common flu probably has a greater influence there.

--
All rites reversed 2010
1. Re:11k...? by zephvark · 2014-07-17 03:21 · Score: 1
  
  Yup. Someone sneezed, everybody panic! ...this is not news.
Is this a ZeuS variant? by timrod · 2014-07-17 03:08 · Score: 2

The way the article describes Pushdo, it sounds a lot like ZeuS - they use practically the same methods of operation (DGA to generate random domain names, fast-flux to stop anyone shutting down the C&C servers) and it seems that like ZeuS, Pushdo started from an initial codebase and was changed multiple times after being shut down.
1. Re:Is this a ZeuS variant? by bogdan.botezatu · 2014-07-17 03:21 · Score: 3
  
  It's not a Zeus variant. It's world's largest spambot ever (72bn messages per day). The figures show the old bots getting upgraded to the new variant.
No-Ip by Curunir_wolf · 2014-07-17 05:25 · Score: 2

Just shutdown No-IP servers. That should fix it.

--
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
Country least affected... by operagost · 2014-07-17 06:24 · Score: 2

North Korea is least affected, due to their "Don't let anyone have computers, well they don't have electricity anyway" security policy.

--

Gamingmuseum.com: Give your 3D accelerator a rest.
Okay so a bitdefender ad ? What's the Vector? by Virtucon · 2014-07-17 06:31 · Score: 1

Is this distributed by E-Mail, a bug in Windows? IE, Firefox etc.?

--
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Just use Linux. by stooo · 2014-07-17 20:29 · Score: 1

Just use Linux.

--
aaaaaaa