Inside a Modern Malware Distribution System

Scrabblous sends in this analysis of the Pushdo Trojan downloader's backend code and control server. Pushdo is a complex Trojan downloader that meticulously tracks its victims; much of its innovation is not in the Trojan itself but in its control infrastructure. Quoting: "The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the [421 different] malware loads from infecting users located in a particular country, or provides the ability to target a specific country or countries with a specific payload. Pushdo keeps track of the IP address of the victim, whether or not that person is an administrator on the computer, their primary hard drive serial number..., whether the filesystem is NTFS, how many times the victim system has executed a Pushdo variant, and the Windows OS version."

industrial strength stuff

[jacquesm (154384)]

If only Microsoft would spend that much effort on windows update...

Re:industrial strength stuff

[RAMMS+EIN (578166)]

``If only Microsoft would spend that much effort on windows update...''

They do, but they spend their efforts on making sure it doesn't work for pirates, rather than on making sure it works better for customers.

Re:

[jacquesm (154384)]

afaik it does work fine for pirates but not for consumers that have paid for the product. A friend of mine made the linux switch solely because of being pissed off once to many while being told to re-register his machine after windows update literally crashed the box beyond recovery and they wouldn't activate him. He said, ok, fine don't activate me I'll get another OS. It's well past the point of being a nuisance, it's a real risk (having your machine taken down by an automatic update is *not* funny at all

Question about platform security

[Iphtashu Fitz (263795)]

Call me a troll if you will but I have a serious question here.

Microsoft constantly claims that the main reason there are so many trojans & botnets like this is because Windows systems make up the vast majority of computer systems out there, not because Windows is any less secure than linux, OS-X, etc.

Assume a completely even playing field where each of the three main consumer OS's, Windows, linux, and OS-X each has 33.3% of the market. Which environment would a trojan/botnet writer target and why? Put another way, how difficult would it be to develop a similarly intricate for linux or OS-X if a malware author decided to target those platforms?

Re:

[liquidpele (663430)]

Assuming you mean desktop users..... pretty easy.
Download some malware, pop-up a fake window when the user does something to get the password, sudo with the password, install whatever else you want and setup init scripts, done!

The only real deterrent for Linux right now is the low number of machines and having to get their password so they can set the init scripts, and that you have to know something besides .net/vb to do it.

Assuming you mean servers.... really easy.
There are TONS of linux servers r

I'm not seeing the "easy" part there.

[khasim (1285)]

Download some malware, pop-up a fake window when the user does something to get the password, sudo with the password, install whatever else you want and setup init scripts, done!

Okay, that first part "Download some malware". How?

With Windows it is easy to explain. ActiveX.

With Linux/Apple, it's not so easy.

With old versions of Windows/Outlook, you could just mass mail the exploit and hope that enough people hadn't patched Outlook NOT to auto-run some executables.

Or that they hadn't configured their security zones correctly.

Microsoft is getting better. But they're still focused on adding layers of "security" instead of taking the simple option and just not installing so many services that the user will probably never use. So if there's any flaw in the various layers, you can still be cracked.

Re:I'm not seeing the "easy" part there.

[liquidpele (663430)]

ActiveX is still used some but it's disabled on a lot of machines now unless it's require by some company for an intranet site. But outlook? Outlook has been a dead end for malware for a while... I'm talking about within the last few years here.

Most malware now is either by drive by download using whatever plugin/browser exploit is new, or by having them download the exe from P2P or somewhere.

With browser vulns, at least with firefox, it doesn't matter what OS you're on. Most of their vulns have been plugin related it seems though - but I don't see why it would be different if Linux were targeted as much as windows is.
Plus, if you target Linux, there are tons of things never tried yetthere are tons of things never tried yet. You can host fake malicious things on sourceforge or something... . Posting fake scripts on forums that download and run malicious code or have them use malicious repositories... etc etc.

That's for Desktops of course. For Servers, it's usually an out of date web application with known vulns out in the open. Hell, I just did that the other day to my old fraternities website to give myself admin access to their wordpress site so I could make one simple change (friendly joke).

Re:

[SanityInAnarchy (655584)]

Most malware now is either by drive by download using whatever plugin/browser exploit is new, or by having them download the exe from P2P or somewhere.

How many of these go through Firefox, though?

Most of their vulns have been plugin related it seems though - but I don't see why it would be different if Linux were targeted as much as windows is.

Depends on the plugin. I imagine the plugins have to behave fairly differently on other OSes.

Re:I'm not seeing the "easy" part there.

[liquidpele (663430)]

"I imagine the plugins have to behave fairly differently on other OSes."

True, but a lot of the malicious sites out there run entire vuln packages. Basically they are javascript that detects what might work, and then tries a range of 1-15 different vulns against the browser until one works. Great stuff, and with a system like that it's easy to target multiple OS's on a single site.

Re:

[IamTheRealMike (537420)]

ActiveX has been "defanged" for several years. You can't install random software without asking the user anymore in IE and that's been true for a long time.

The Storm botnet has been spread by emailing out binaries that people then run, because they believe it to be something it's not. That's a hard problem to solve. It hasn't really been solved by any system yet - perhaps it can't be solved.

Any computer where you can easily add new software (and a desktop OS that doesn't let you do that is one which isn

Re:

[daeg (828071)]

Unfortunately, users are still largely stupid in terms of agreeing to ActiveX installs. Even Microsoft Update requires it. You'd think that by now Microsoft would somehow add Windows Update to an internal/default exemptions list, right? Or build it outside of the IE engine.

Re:

[jmauro (32523)]

In Vista is appears to be outside of the engine finally. I still think it uses IE for connecting to the Windows Update web services, but its now a stand alone program in the OS instead of a program run from a web page. I was quite happy to see that the old Windows Update is now dead.

Re:

[WeirdJohn (1170585)]

The trick is to (Step One) get the User to visit an Evil Website: "Naked Lesbian Twins with Machine Guns" should do it.

(Step Two) Tell the User that a new "Video Codec" must be installed on their Ubuntu|Redhat|Suse System, which requires SuperUser privilege.

(Step Three) popup a standard webbrowser password dialog, asking for the root password

(Step Four) Start to download the "Codec Installer" that plays funny games with gcc, expect and python to sudo and install the malware when run.

(Step Five) Tell user to

Re:

[m50d (797211)]

This thread is worthless without pics

Re:

[cheater512 (783349)]

The fact that they cannot easily execute themselves stops a lot.
A executable in a email attachment or web download cannot be executed by a idiot. It needs to be chmodded.

Also the root password box appears significantly less than the Windows equivelants.
Your average user will never have to enter it in.
Helps reduce false negatives but it can still occur.

Re:

[h4rm0ny (722443)]

A minor point, but Ubuntu has done its best to get rid of the root password. Yes - you can change the way it's set up, but for the vast majority of users it is just a case of typing their normal password in a second time for confirmation. It's just another thing that makes it seem that much less of a deal to allow a piece of software to run with root priveleges.

Re:

[timeOday (582209)]

I don't see why a botnet client would even need to run as root. So long as the user in question can run 'at' or cron, it can still install itself. I'll grant, a rootkit could conceal itself better with root access, but I doubt very many people would notice an extra process running anyways. (I think I'd call my trojan "bash").

What you would name your malware.

[sowth (748135)]

I think I'd call mine super_pr0n_queen with the arguements "--enhance-pr0n --doublestuff ~/superpr0n.mp4" and the installer would put a very "interesting" movie in ~/superpr0n.mp4. A sure-fire guarantee to never be deleted!

Re:

[WGR (32993)]

On most Windows systems, the user is running as Administrator, so you do not even have to ask the user to install software. That is the main problem.
Vista changes this (at last), but until Vista (or an updated XP) is the norm, then Windows is easier to Trojan.

Mac OS-X is almost as easy since the .dmg files are so common for so many things from document updates to kernel installs that users are almost sure to type in password for installation.

Linux requires more work because most Linux users have a separate

Re:

[liquidpele (663430)]

" Linux requires more work because most Linux users have a separate root and user account with different passwords and sudo is thereby more restricted."

I did say it was a little harder in linux because you need the password - but a lot of distros like Ubuntu don't have root - you just sudo with the user's own password (just nitpicking there). My point was it is a deterrent, but it will by no means stop malware installation if Linux is a highly targeted desktop. Especially when the users WANT to install

Re:

[ozmanjusri (601766)]

The only real deterrent for Linux right now is the low number of machines and having to get their password so they can set the init scripts

No, the real deterrent for Linux is that any significant malware attack will be patched by the community MUCH faster than with Windows.

There's a significant cost to developing the type of malware that would be capable of building a Linux botnet, and that investment would be lost when the community reacted. The cost/benefit for developing malware on Linux is a long wa

Re:

[m50d (797211)]

Assume a completely even playing field where each of the three main consumer OS's, Windows, linux, and OS-X each has 33.3% of the market. Which environment would a trojan/botnet writer target and why?

Even if marketshare was the same, there are still other variables to consider: how useful is the OS, and what is the userbase like? My instinct would be to go for linux - it's (marginally, and in my experience) more stable, systems are more likely to be left running 24/7, and systems programming for it is easi

Re:Question about platform security

[LiquidCoooled (634315)]

The only problem with releasing trojans in Linux is that the damned things have to be GPL.
Having to leave the contact details for people wanting the source also makes it a bit tricky.

Re:

[infonography (566403)]

point 1. FUD, Microsoft's argument is a compete load of horsesht. The reason it's most effected is because low level identification of processes is obscured. Even if it's just simple rot13 encoding in registry to mask info about installed programs. In the *NIX world its almost impossible to hide a running process.

point 2, Windows User basis = BOZOS also untrue. a lot can be done in the windoze world. its is just done with broken legs has the price of entry.

Malware will go away when windows goes open source

Re:

[RAMMS+EIN (578166)]

``In the *NIX world its almost impossible to hide a running process.''

Ah, yeah? I don't think so. Given that you've already compromised the host, that is. And if you can't hide your process, you can always try to masquerade as a process that should be running.

Re:Question about platform security

[flyingfsck (986395)]

Actually, there are vastly more Linux systems out there than Windows systems. Each year about 300 million Linux devices are produced - most cell phones and routers. These devices have a life span of 5 years or more, meaning that there should be about 2 billion Linux devices out there. In contrast, there are only about 600 million Windows devices. Also, note that there are more Linux servers on the internet, than Windows servers. The simple fact that these Linux devices and servers are mostly secure, while the Windows machines are mostly insecure, therefore has nothing to do with numbers.

Re:Question about platform security

[IamTheRealMike (537420)]

That reasoning is invalid. There are tens of millions of XBoxes in the world, all of which run a customized version of Windows, yet I'm not aware of any viruses for the XBox. I guess Windows must be entirely secure!

Or maybe desktop security and arbitrary-consumer-electronic-device security are different problems with different solutions.

The other poster is correct. There is no difference in Windows vs Linux desktop security. It's beyond trivial to phish or intercept the users root password, if you want it, which you might not bother with because there are plenty of other ways to hide in a modern operating system (google "user mode rootkit").

Re:

[cheater512 (783349)]

Its harder to get the root password because its used for very few things from a user's point of view.
Yes there will be some idiots who will type it in no matter what but the chances are lower than clicking 'Allow' with UAC.

Re:

[MikeBabcock (65886)]

SELinux (enabled by default on Fedora and others) greatly decreases the possibilities of something stupid like this happening. Now if only we didn't continually tell users to "make, sudo make install" everything and actually used signed packages. Why? How trivial is it to get a user to do a "sudo make install" on a Makefile that embeds a rootkit?

Re:

[bigstrat2003 (1058574)]

The total number of devices is irrelevant. Cell phones, routers, and other embedded devices are set up once, and then mass-produced, so someone is easily able to make painstaking efforts to ensure security. On servers, this is also true, to a much lesser extent. On the desktop, it's almost never true (you and I care about making sure our machines are secure, but we're the vast minority of desktop users). The desktop area is where people care the least, and so it's the most attacked. Windows' dominance is in

Re:

[Torvaun (1040898)]

Yes, and by the time you finished any sizable app, one that was "good enough" would already have been released, and gobbled up marketshare. The problem with chasing perfection is that it takes forever, and even if you find it, most people don't need it.

Re:Question about platform security

[99BottlesOfBeerInMyF (813746)]

Assume a completely even playing field where each of the three main consumer OS's, Windows, linux, and OS-X each has 33.3% of the market. Which environment would a trojan/botnet writer target and why? Put another way, how difficult would it be to develop a similarly intricate for linux or OS-X if a malware author decided to target those platforms?

This is an interesting question, but it lacks some details that may make a large difference. First, was it a single Linux distribution or a mixture of the ones currently available. Second, are we talking Windows Vista, or are we talking about the current mix of Windows versions deployed today?

Potential reasons why it is easier to target Windows:

• Malware authors are familiar with Windows and Windows development tools and often are not experienced in coding for other platforms.
• Even with an even distribution of OS's, MS still dominates certain application segments on Windows, with MS Office, Outlook, and IE. Other platforms have more varied application sets by comparison, making it harder to make a virus work via an exploit for a particular application.
• Windows in general runs with more network services listening by default than either OS X or Linux and each one is a potential hole.
• Windows fails to operate using standard protocols, so assuming most networks in the future are mixed, for full functionality Windows servers often have to run two services for a given function, versus one when using Linux or OS X. (For example, a Windows box might be listening to the local network using UPnP SSDP to discover network services, as well as ZeroConf, which is implemented by various applications on Windows, whereas OS X and Linux use only the standard ZeroConf.)
• Windows has a different user base from the other OS's and it is often a less security conscious one overall. That could change, however if market share does.

On the other hand, Windows has a few advantages as well:

• More anti-virus tools and services are available for Windows
• Windows makes better use of sandboxes in some instances than the vast majority of Linux distros.

The question is pretty academic though. Market share is not going to shift drastically overnight, nor distribute evenly. Market share has an enormous affect on the products themselves. Right now Linux and OS X have appropriate levels of security so that it is not a big issue for their users. If security threats increased for either platform, security improvements would also increase because the developers are motivated to not lose money.MS is currently a monopoly so the fact that Windows does not have sufficient security to deal with the malware ecosystem does not cost them much money at all, so they are nt motivated to fix it. If Windows had 30% of the market, they would no longer have a monopoly and they would fix their security problems or go out of business.

Having a diverse computing market makes things hard for botnet operators, because it lessens the effect of any vulnerability and because it motivates better security through competition between the players in that market. The theoretical you propose would change things in many, many ways. In some ways, Linux and OS X would become bigger targets and have to adapt their security to deal with it, but we'll never know what would hold up as the "best" six months or two years afterwards.

Re:

[SanityInAnarchy (655584)]

Assume a completely even playing field where each of the three main consumer OS's, Windows, linux, and OS-X each has 33.3% of the market. Which environment would a trojan/botnet writer target and why?

I'd say Linux and OS X at that point, because both are Unix. Much easier to port things between Linux and OS X than it is to port things between either and Windows.

Put another way, how difficult would it be to develop a similarly intricate for linux or OS-X if a malware author decided to target those platform

Re:Question about platform security

[IamTheRealMike (537420)]

how difficult would it be to develop a similarly intricate for linux or OS-X if a malware author decided to target those platforms?

Here's how you could make a somewhat modern piece of malware for Linux. I'll leave out the stuff that's the same between operating systems ... the control networks, etc, and just look at controlling/hiding in the system.

1. First question - how to get in? All the usual techniques will work. Browser exploits are still common, even after years of hardening the IE and Firefox codebases. Plugin exploits (quicktime, acrobat, etc) even more so. Emailing out virus mails that appear to come from friends is still a very effective technique - we spent years training people to not trust emails from random people, only to have that advice subverted by having the emails come from friends. There are no restrictions on sending mail on Linux, nor reading from the users address book assuming they use client-side mail. If they use webmail the same techniques will work as on Windows.

   Some people might say, but Mike, it's hard to make a binary that works on all forms of Linux! In reality, it's not that hard. The basic loading/linking code and core libraries are the same across distributions. It's hard once you try to build real, interesting apps that provide GUIs and so on, but if you're willing to put in some testing (and modern malware is a professional operation, so why not) you can make the same binary work just fine on dozens of distros.

   Other people might say that it's complicated to run binaries on Linux, because you have to set the +x bit. I'll ignore the fact that I think Linux isn't ever going to get 33% market share with the current way of distributing software ... suffice it to say, that once you convince a user that you're legitimate and that they want your eCard (that's how this malware spreads), you can just give them a command to copy/paste into the "Run Program" dialog box.

2. Once you're in, you want to do a few things. You want to download the rest of the trojan ... no problem with that ... maybe start sending mail ... again no problem ... what else? Maybe you want to drain the users bank account. The easiest way to do that is to install a browser extension that waits for the user to log in, and then scripts the web app. This has already been done on Windows/IE and isn't technically difficult - although it does require testing on the banks you want to target.

   What else? Stealing cookies is popular. Yep, we can do that. Maybe popping up "unkillable ads". Yes, X will let you do this.

3. Next, you want to hide, to make yourself hard to get rid of. This is the part where people tend to assume Linux is more robust than Windows. Is it really? Well, firstly, you can do a decent job of hiding without root. To start with, try injecting yourself into a system process ... or start several copies of the same program, all of which watch each other and restart new copies if others are killed or paused. It exploits the fact that you can't send signals to groups of processes atomically. Adjust the users path in their startup scripts to let you override any binary you wish, and then use a user-mode rootkit technique to hide the fact that the file was modified. Or set yourself to startup in the KDE/GNOME config systems somehow (eg, as an invisible panel app).

   What if you want to store stuff on disk, and hide those files? Doing it with a kernel rootkit is easy enough, but what about without having access to kernel space? One way to do it is ptrace every process that might be used to explore the filesystem - like shells. You can intercept the syscalls of these programs before they reach the kernel in that way, and thus make files "disappear" from the command line, from Nautilus/Konqueror, or whatever other programs you want to do. If you're worried about the ptrace

Re:

[99BottlesOfBeerInMyF (813746)]

...suffice it to say, that once you convince a user that you're legitimate and that they want your eCard (that's how this malware spreads), you can just give them a command to copy/paste into the "Run Program" dialog box.

Your post seems predicated upon the assumption that the means of compromise is a trojan. Right now, that is not the common case, especially for bots. While there are more types of trojans out there, each compromises a fairly small number of boxes. Most boxes by number are still compromised by automated worms that have no user interaction component to them.

I think you're right that Linux is no more secure against trojans than Windows, maybe less so even, but you have to keep in mind that even if that is

Re:

[0123456 (636235)]

"I think you're right that Linux is no more secure against trojans than Windows"

Most Windows users (at least on XP) run as root. Most linux users don't run as root. That's a heck of a lot more secure, at least in terms of losing control over your computer rather than just losing your files.

Re:

[99BottlesOfBeerInMyF (813746)]

Most Windows users (at least on XP) run as root. Most linux users don't run as root. That's a heck of a lot more secure, at least in terms of losing control over your computer rather than just losing your files

I was thinking of Vista, but assuming we're talking about WinXP, then in either case the bot has plenty of permission as the user to be malicious and send spam, participate in a DDoS, or steal user data. The one thing it can't do that it might want to is disable anti-virus. That is slightly harder on Linux or Vista than on WinXP, but once you're in it is just a matter of breaching one more layer with a local escalation, and those are not really uncommon on Linux (and absurdly common on Vista right now). O

Re:

[Tim C (15259)]

Your post seems predicated upon the assumption that the means of compromise is a trojan. Right now, that is not the common case, especially for bots.

Well, I can't say that I have any hard facts to back up my opinion, but I've always assumed the exact opposite. I don't see *anything* in my router/firewall logs. Either the attacks aren't happening, or they're stopped by my ISP; either way, they're not compromising any PCs (and I'd expect the ISP to advertise the extra protection if they were doing it)

In contr

Re:

[david_thornley (598059)]

Social engineering works on the user, not on the operating system, and is likely to be about equally effective on any platform. The exception is when the social engineering relies on confusing the user. In this case, I'd see an advantage to MacOSX and Linux, which ask for permission a whole lot less than Windows (particularly Vista). A user who is used to clicking OK boxes is more vulnerable than one who is occasionally is asked to type a password for specific reasons.

In cases where social engineering

Re:

[Warbothong (905464)]

From a non-technical point of view, I know someone who found all sorts of vulnerabilities in Windows. He couldn't patch them. He hates Microsoft's business tactics. He wrote viruses to exploit those vulnerabilities (the viruses usually did something like DDOS various Microsoft websites, print out "Microsoft is crap, stop using Windows" once a month, etc.). It's not just the installbase or the security of the system to take into account, it's also a) users' opinions of the system/creators (many Windows users

Re:

[QuoteMstr (55051)]

Gah, I should have listened to my technobabble detector. The link above points to one of those stupid grow-my-city things.

It'd be nice if slashdot followed all 301 redirects for a page, then used the resulting URL in the comment.

21st century war

[brit74 (831798)]

This enables the Pushdo author to limit distribution of any one of the [421 different] malware loads from infecting users located in a particular country, or provides the ability to target a specific country or countries with a specific payload.

I can't help but think a lot of malware creators will get rich in the 21st century when governments pay them to attack countries they are at war with - either destroying their computer infrastructure, or acting as spies.

Command and Control Server

[phantomcircuit (938963)]

My question is simple, How can the command and control servers for botnets stay up?

Wouldn't their hosting provider and/or IP block owner not want to end up on blacklists and thus kick them off, thus cutting off all infected systems from further contact.

Re:Command and Control Server

[KillerBob (217953)]

IRC... have a master channel, and configure the virus so it's able to connect to a slave channel and receive commands, or connect to the master channel and relay commands to its slave channel. Program the bot/virus so that it connects to a non-persistent "slave" channel. If it's automatically given moderator status, then it's the first bot in the channel, so it connects to the master channel and functions as a command/control herder. If it doesn't automatically get mod rights, then it functions as a slave and actually does the dirty work.

And by using a wide open IRC server, of which there's plenty, it's virtually impossible to shut down the network. All the main controller has to do is connect to his "master" control channel periodically to send out commands, and the rest of the herding gets done by his deputies.

Re:the fix

[QuoteMstr (55051)]

Just replace the destination URL with the one you get after following 301 redirects. That shouldn't break anything (301s are meant to be cached, and legitimate URL compression services should be using 301s anyway.)

Re:

[liquidpele (663430)]

This is a *great* idea!
Someone mod this up and email Taco 1,000 times

Re:

[99BottlesOfBeerInMyF (813746)]

...but i bet that some in that development can be translated to unix/mac systems (as is the user the one that mainly installs it, think in i.e. when was corrupted the SquirrelMail repository, if someone send spams away to make people to download it before it gets catched, and that installs in fact a trojan with that functionality).

Just to clarify, while there are lots of different trojans including those for Mac/Linux and they are in the wild, trojans are still not he biggest threat. While there are more trojans than worms, worms still compromise more machines than trojans and worms that exploit network services or applications, with no user interaction, are still the most common cause of a compromise; especially for zombies in a botnet.

Re:Counter attack is required

[SoupIsGoodFood_42 (521389)]

Because then people like you end up blasting legit people off the internet by mistake and ignore the problem as collateral damage?

Re:

[nurb432 (527695)]

Or worse, you get some large company 'joe jobbed' out of existence for a few days and lose millions in sales.

Hmm good blackmail tactic tho.

Re:

[The MAZZTer (911996)]

I think we're not allowed to do that for the same reason lynching isn't allowed...