[ISN] Inside a Modern Malware Distribution System

From: InfoSec News (alerts@private)
Date: Mon Dec 24 2007 - 03:18:50 PST


http://www.eweek.com/article2/0,1895,2239276,00.asp

By Ryan Naraine
eWEEK.com
December 21, 2007

Analysis of the Pushdo Trojan provides a glimpse of the tracking and 
hiding techniques used by online criminals.

SecureWorks anti-malware guru Joe Stewart is not one to be intimidated 
by advances in online crime activity.

But, when he reversed the backend code associated with the Pushdo Trojan 
downloader, he discovered a modern malware distribution system fitted 
with complex tracking mechanisms and hiding techniquesanother clear sign 
that virus fighters are up against a clever and sophisticated enemy.

Stewart, a veteran reverse-engineer who spends the majority of his time 
breaking apart malware samples, said the control server that powers 
Pushdo is preloaded with about 421 different malware executableswaiting 
to be delivered to infected Windows machines.

The malware itself uses electronic greeting card luresspammed to e-mail 
inboxesto trick Windows users into launching the executable.

Once the Trojan is executed, Pushdo immediately reports back to an IP 
address embedded in the code and connects to a server that pretends to 
be an Apache Web server and listens on TCP port 80.

"We've seen examples of sophisticated Trojan downloaders but this is the 
first time I've gotten into the backend controller to see the level of 
tracking it's doing," Stewart said in an interview with eWEEK. "This one 
does a lot of high-level reconnaissance, making sure it hits the right 
targets," he said.

For starters, the Pushdo controller also uses the GeoIP geolocation 
database in conjunction with whitelists and blacklists of country codes 
to allow the malware distributor to limit one of the malware loads from 
infecting users located in a particular country. This also provides to 
target a specific country or countries with a specific payload, Stewart 
said.

Every victim is tracked meticulously. Stewart found that Pushdo logs the 
IP address of the infected machine, whether or not it was an 
administrator account on the machine.

It also goes a step further, logging the victim's primary hard drive 
serial number, tracking whether the file system is NTFS, the number of 
times the victim system has launched a Pushdo variant, and the Windows 
OS version that executed the malware.

Stewart was baffled by the need to track the hard drive serial number 
but suggests this is being done to provide a unique ID for the infected 
system and to figure out if a VM (virtual machine) is being used to 
analyze the malware. This is significant, Stewart said, because 
anti-virus providers use VM to pick apart malware files in controlled 
environments.

"They already have VM detection in malware files but, now that it's in 
the downloader, the malware author can do the detection upfront and 
completely avoid anti-virus detection," he said. "This could be a way 
for the malware author to spy on anti-virus companies using automated 
tools to monitor the malware download points," he explained in a 
detailed technical analysis of the Pushdo controller.

Stewart also found what he calls an "anti-anti-malware function" in 
Pushdo. The Trojan downloader looks at the names of all running 
processes and compares them to a pre-loaded list of anti-virus and 
personal firewall process names. "My hunch is they're just tracking 
which firewalls are easier targets, figuring out which ones they need to 
do more work on," he added.

Unlike other virus samples that attempt to kill anti-virus software 
processes, Pushdo merely reports back to the controller which ones are 
running, "a type of reconnaissance" that helps to determine which 
anti-virus engines or firewalls are preventing the malware from running 
or phoning home. "This way the Pushdo author doesn't have to maintain a 
test environment for each anti-virus or firewall product," he added.

The last time Stewart peeked at the controller, he found more than 
malware samplesall with rootkit characteristics that help maintain a 
stealthy presence of the infected computer. He also found evidence of a 
spam botnet that can be used to deliver massive amounts of unwanted 
e-mail advertisements, or to launch debilitating distributed DoS 
(denial-of-service) attacks on businesses.

"We're dealing with an entire malware ecosystem," Stewart declared. 
"It's really interesting how the [malware] business is now 
compartmentalized. Distribution of downloaders is handled by one set of 
guys, who get paid for that. Then, there are the botnet guys who rent 
out their services. Then, we have the spam guys using those botnets to 
blast out e-mails."

Stewart also stumbled upon another interesting factmultiple malware 
families being distributed using the Pushdo system. This, he reckons, is 
a sign that the author is also willing to take payments from other 
malware authors in return for use of his distribution channel.

"[These] arrangements are becoming more and more common, as participants 
in the malware economy seek out niches in which to provide services in 
the underground marketplace," he said.


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Mon Dec 24 2007 - 03:42:36 PST