International Telecommunication Union   ITU
Site Map Contact us Print Version
 Tuesday, 15 January 2008

Pushdo trojan, a fairly new and prolific threat being circulated in fake "E-card" emails, is classified as a more sophisticated "downloader" trojan due to its control server. According to the analysis of Secureworks, when executed, Pushdo reports back to one of several control server IP addresses embedded in its code. The server listens on TCP port 80, and pretends to be an Apache webserver. Any request that doesn't have the correct URL format will be answered with the following content:

Looking for blackjack and hookers?

The Bender Bending Rodriguez text is simply misdirection to mask the true nature of the server - if the HTTP request contains the following parameters, one or more executables will be delivered via HTTP:

Typical Pushdo Request

The Pushdo controller is preloaded with multiple executable files - the one we looked at contained 421 different malware samples ready to be delivered. The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the malware loads from infecting users located in a particular country, or provides the ability to target a specfic country or countries with a specific payload.

Pushdo's detection of the physical hard drive serial number as a identifier not only provides a unique ID for the infected system, but can also reveal information such as whether the code is running in a virtual machine or not. This could be a way for the malware author to spy on anti-virus companies using automated tools to monitor the malware download points.

Another anti-anti-malware function of Pushdo is that it looks at the names of all running processes and compare them to a list of anti-virus and personal firewall process names. Instead of killing off these processes, however, Pushdo merely reports back to the controller which ones are running, by appending "proc=" and a list of the matching process names to the HTTP request parameters. This enables the authors to determine which anti-virus engines or firewalls are preventing the malware from running or phoning home, by their absence from the statistics. This way the Pushdo author doesn't have to maintain a test environment for each AV/firewall product.

Recently, an e-card email containing a newer variant of Pushdo was received. Apparently taking notice that the Bleeding Snort project had published a signature (sid 2006377) to detect the Pushdo request variables in transit, the author has now changed the request to be less fingerprintable. An example of the new request format is:

GET /40e800142020202057202d4443574d414c393635393438366c0000003c66000000007600000002 HTTP/1.0

Apparently, the author of Pushdo is intent on evading detection for as long as possible, in order to have the maximum amount of time to seed Cutwail spambots into the wild. Although it is unclear just how large the Cutwail botnet has become, the ambition of the project rivals that of other more well-known spam botnets, such as Storm.

Read the complete analysis on Pushdo here.
Read the blog entry detailing the trouble Sophos are having with the Pushdo trojan.