Inside a Modern Malware Distribution System 135
Scrabblous sends in this analysis of the Pushdo Trojan downloader's backend code and control server. Pushdo is a complex Trojan downloader that meticulously tracks its victims; much of its innovation is not in the Trojan itself but in its control infrastructure. Quoting: "The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the [421 different] malware loads from infecting users located in a particular country, or provides the ability to target a specific country or countries with a specific payload. Pushdo keeps track of the IP address of the victim, whether or not that person is an administrator on the computer, their primary hard drive serial number..., whether the filesystem is NTFS, how many times the victim system has executed a Pushdo variant, and the Windows OS version."
industrial strength stuff (Score:4, Funny)
Re:industrial strength stuff (Score:5, Insightful)
They do, but they spend their efforts on making sure it doesn't work for pirates, rather than on making sure it works better for customers.
Re: (Score:2)
Re: (Score:3, Informative)
Question about platform security (Score:5, Interesting)
Microsoft constantly claims that the main reason there are so many trojans & botnets like this is because Windows systems make up the vast majority of computer systems out there, not because Windows is any less secure than linux, OS-X, etc.
Assume a completely even playing field where each of the three main consumer OS's, Windows, linux, and OS-X each has 33.3% of the market. Which environment would a trojan/botnet writer target and why? Put another way, how difficult would it be to develop a similarly intricate for linux or OS-X if a malware author decided to target those platforms?
Re: (Score:2, Interesting)
I'm not seeing the "easy" part there. (Score:5, Informative)
Okay, that first part "Download some malware". How?
With Windows it is easy to explain. ActiveX.
With Linux/Apple, it's not so easy.
With old versions of Windows/Outlook, you could just mass mail the exploit and hope that enough people hadn't patched Outlook NOT to auto-run some executables.
Or that they hadn't configured their security zones correctly.
Microsoft is getting better. But they're still focused on adding layers of "security" instead of taking the simple option and just not installing so many services that the user will probably never use. So if there's any flaw in the various layers, you can still be cracked.
Comment removed (Score:5, Interesting)
Re: (Score:2)
How many of these go through Firefox, though?
Depends on the plugin. I imagine the plugins have to behave fairly differently on other OSes.
Comment removed (Score:4, Informative)
Re: (Score:1)
I work in a small law firm in Blighty, and the new laws require us to use web services for searches, HIPS and the like. The damn things use activeX.
In the last few weeks, a training CD arrived in the post from some gov.uk agency. Guess what - it uses activeX. On a freaking CD!
ActiveX in the UK is like an infestation of cockroaches. It's not going away any time soon; if anything, it's getting worse.
Re: (Score:2)
ActiveX has been "defanged" for several years. You can't install random software without asking the user anymore in IE and that's been true for a long time.
The Storm botnet has been spread by emailing out binaries that people then run, because they believe it to be something it's not. That's a hard problem to solve. It hasn't really been solved by any system yet - perhaps it can't be solved.
Any computer where you can easily add new software (and a desktop OS that doesn't let you do that is one which isn
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Interesting)
(Step Two) Tell the User that a new "Video Codec" must be installed on their Ubuntu|Redhat|Suse System, which requires SuperUser privilege.
(Step Three) popup a standard webbrowser password dialog, asking for the root password
(Step Four) Start to download the "Codec Installer" that plays funny games with gcc, expect and python to sudo and install the malware when run.
(Step Five) Tell user to
Re: (Score:2, Funny)
Re: (Score:2, Insightful)
Read up on how Storm-Worm got started. It sent an email asking people to go to a site and download something. Guess what, they did what they were told to do.
Now it may have only have been 1 out of a 1000 people who actually did it, but that number is high enough to get a good start. And then all that those individual computers needed to be able to do was connect to a website and send email. Something pretty much any computer on the internet can do
Re: (Score:1, Insightful)
I can do the same thing with javascript content with seamonkey/firefox and the noscript plugin. (http://noscript.net/)
Re: (Score:2)
The last one I understood went like this
then SU see executable belonging to nobody in /tmp, kills process removes executable and
Re: (Score:3, Insightful)
A executable in a email attachment or web download cannot be executed by a idiot. It needs to be chmodded.
Also the root password box appears significantly less than the Windows equivelants.
Your average user will never have to enter it in.
Helps reduce false negatives but it can still occur.
Re: (Score:2)
A minor point, but Ubuntu has done its best to get rid of the root password. Yes - you can change the way it's set up, but for the vast majority of users it is just a case of typing their normal password in a second time for confirmation. It's just another thing that makes it seem that much less of a deal to allow a piece of software to run with root priveleges.
Re: (Score:3, Insightful)
What you would name your malware. (Score:2)
I think I'd call mine super_pr0n_queen with the arguements "--enhance-pr0n --doublestuff ~/superpr0n.mp4" and the installer would put a very "interesting" movie in ~/superpr0n.mp4. A sure-fire guarantee to never be deleted!
Re: (Score:1)
Once they log out it dies.
Thats why root is highly desirable.
One question: (Score:2)
No it can't install itself. To install something, and set execute permissions, requires manual input of a password from the keyboard.
is your /home in a separate, noexec partition? because if it isn't (and many -- almost all -- of them aren't) then your trojan can set exec bit for something hidden in your ~/.kde or something without any keyboard access. and it can keep running after you log out, too.
Re: (Score:2)
Even still you can "double click to install RPM", and that is just as good as an executable...
Re: (Score:2)
It cant automatically run its self.
Re: (Score:2)
It cant automatically run its self.
Sure it can. Find me a box running PHP and some one year old web application written on top of it and I'll execute it for you! :-)
Re: (Score:2)
However far fewer people will be stupid enough to enter their root pass than click 'Yes' to UAC.
Nothing is impossible especially when it comes to computers.
When defending against malware you want to make it as improbable as possible though and Linux does this better than Windows.
Re: (Score:2)
Vista changes this (at last), but until Vista (or an updated XP) is the norm, then Windows is easier to Trojan.
Mac OS-X is almost as easy since the
Linux requires more work because most Linux users have a separate
Re: (Score:2)
Re: (Score:1)
Ubuntu does have root, but it's configured so you can't log in to root. Not quite the same thing.
Re: (Score:1)
Re: (Score:1)
Slackware will forgive me, won't it?
Re: (Score:2)
No, the real deterrent for Linux is that any significant malware attack will be patched by the community MUCH faster than with Windows.
There's a significant cost to developing the type of malware that would be capable of building a Linux botnet, and that investment would be lost when the community reacted. The cost/benefit for developing malware on Linux is a long wa
Re: (Score:1)
Have you been reading the other comments? How can you patch the stupidity of your users?
After a clueless user has been owned properly, there is probably no effective way for the community to help him; that would require a full reinstall from scratch. This is not dependent on the operating system, as far as I can see.
Re: (Score:2)
Yeah, I've read them. That's just the usual FUD that's been debunked many times.
The reason social-engineering attacks are so successful on Microsoft platforms, especially Microsoft Outlook, is that the kind of thing you need to trick the user into doing is very simple---typically a single mouse-click. True, many installations pop up warning dialogs for "potentially dangerous" actions, but novice users are used to many such dialogs, and probably just dismiss them as a matter of course.
Re: (Score:2, Interesting)
Even if marketshare was the same, there are still other variables to consider: how useful is the OS, and what is the userbase like? My instinct would be to go for linux - it's (marginally, and in my experience) more stable, systems are more likely to be left running 24/7, and systems programming for it is easi
Re:Question about platform security (Score:4, Funny)
Having to leave the contact details for people wanting the source also makes it a bit tricky.
Re: (Score:2)
You don't have to jump through hoops to get raw sockets on Linux, you just have to become root....ummm yeah. On any reasonably configured Linux system, getting root is usually a difficult hoop to jump through, assuming there is no social engineering of someone who has the root account. Then again, with things like Nvidia's (an other mfgrs) buggy drivers and Ubuntu's let's just make people use sudu in
Re: (Score:2, Troll)
point 2, Windows User basis = BOZOS also untrue. a lot can be done in the windoze world. its is just done with broken legs has the price of entry.
Malware will go away when windows goes open source
Re: (Score:2)
Ah, yeah? I don't think so. Given that you've already compromised the host, that is. And if you can't hide your process, you can always try to masquerade as a process that should be running.
Re: (Score:2)
Why masquerade?
You replace the binaries which show running processes with section of code hiding your-malware-process.
Since the host is compromised, it's highly unlikely running tripwire or some such anyways which might reveal process replacing.
Re:Question about platform security (Score:4, Insightful)
Re: (Score:1)
Most apps in *nix are system specific, so when they do find something wrong, it's an easy fix, but when we get to windows, there are 100's of apps, these apps make all system admins crazy ( just had a new program installed and it was calling home via a port that I had never seen used ( in the 52000 range ).
I truly think deep in my heart that windows coders just don't give a shit about really doing quality code, all they do is put the crap out then fix and patch. all come
Re: (Score:3, Insightful)
Re: (Score:1)
Re: (Score:1)
I truly think deep in my heart that windows coders just don't give a shit about really doing quality code, all they do is put the crap out then fix and patch. all comes down to the money.
You might be right with that. I just witnessed a discussion on IRC about web-design. One guy doing that stuff for money, the other for OSS-projects. The guy doing that for money had his customers: companies, that want sites coded - for their customers, who most likely won't give a damn if that page they're trying to buy things from is valid XHTML or not - so the companies don't give a damn themselves. And at the end of the day, the guy has to code that sites to appeal to the customers - who will most likel
Re:Question about platform security (Score:5, Interesting)
That reasoning is invalid. There are tens of millions of XBoxes in the world, all of which run a customized version of Windows, yet I'm not aware of any viruses for the XBox. I guess Windows must be entirely secure!
Or maybe desktop security and arbitrary-consumer-electronic-device security are different problems with different solutions.
The other poster is correct. There is no difference in Windows vs Linux desktop security. It's beyond trivial to phish or intercept the users root password, if you want it, which you might not bother with because there are plenty of other ways to hide in a modern operating system (google "user mode rootkit").
Re: (Score:2)
Yes there will be some idiots who will type it in no matter what but the chances are lower than clicking 'Allow' with UAC.
Re: (Score:2)
Re: (Score:1)
First, even if you include the tens of millions of XBoxs, using the grandparent's post, you still have less Windows boxes than Linux boxes. Also, is not the software on a XBox much different from that of a standard Windows PC?
Finally, yes, XBoxes - except the XBox is a relatively sandboxed environment. How easy is it to develop for, how many people do develop for it, and how many XBox users are going to go get homegrown XBox software and run it? (And furt
Re: (Score:1)
Re: (Score:2)
Windows on XBox is not the same Windows as Windows XP or Windows Vista. It's a very much trimmed down version of Windows 2000. It has parts of the kernel but has none of the shenanigans that are called Internet Explorer, the Explorer shell or ActiveX. Also, you can't surf the internet or send/receive e-mails on an XBox nor can you run executables that have not been sanctioned by Microsoft (it's what we call DRM).
Now if we had a Windows that was trimmed down to the bones, didn'
Re: (Score:2)
Re: (Score:1)
Which environment would the botnet writer target if he had a free hand?
No doubt, linux.
Written in python.
Source in git.
If you need to ask why, you'll never understand.
Re:Question about platform security (Score:5, Interesting)
This is an interesting question, but it lacks some details that may make a large difference. First, was it a single Linux distribution or a mixture of the ones currently available. Second, are we talking Windows Vista, or are we talking about the current mix of Windows versions deployed today?
Potential reasons why it is easier to target Windows:
On the other hand, Windows has a few advantages as well:
The question is pretty academic though. Market share is not going to shift drastically overnight, nor distribute evenly. Market share has an enormous affect on the products themselves. Right now Linux and OS X have appropriate levels of security so that it is not a big issue for their users. If security threats increased for either platform, security improvements would also increase because the developers are motivated to not lose money.MS is currently a monopoly so the fact that Windows does not have sufficient security to deal with the malware ecosystem does not cost them much money at all, so they are nt motivated to fix it. If Windows had 30% of the market, they would no longer have a monopoly and they would fix their security problems or go out of business.
Having a diverse computing market makes things hard for botnet operators, because it lessens the effect of any vulnerability and because it motivates better security through competition between the players in that market. The theoretical you propose would change things in many, many ways. In some ways, Linux and OS X would become bigger targets and have to adapt their security to deal with it, but we'll never know what would hold up as the "best" six months or two years afterwards.
Re: (Score:2)
The article states that the code is doing many things in a UNIX style (getting the system directory name, etc.) and is written by someone with experience on non-windows systems.
Allow me to clarify. You're correct that some malware developers have *NIX experience. Many control networks run on compromised Linux machines and all the Web front ends I've seen used to rent botnets out are running on Apache. That said, I think this control system and those Web front ends are made by a much rarer breed than the average botnet herder. The average herder I've met (online) has a skill level a bit above the normal script kiddie. They rely heavily on code and tools they purchase or steal and
Re: (Score:3, Insightful)
I'd say Linux and OS X at that point, because both are Unix. Much easier to port things between Linux and OS X than it is to port things between either and Windows.
Re:Question about platform security (Score:5, Informative)
Here's how you could make a somewhat modern piece of malware for Linux. I'll leave out the stuff that's the same between operating systems ... the control networks, etc, and just look at controlling/hiding in the system.
First question - how to get in? All the usual techniques will work. Browser exploits are still common, even after years of hardening the IE and Firefox codebases. Plugin exploits (quicktime, acrobat, etc) even more so. Emailing out virus mails that appear to come from friends is still a very effective technique - we spent years training people to not trust emails from random people, only to have that advice subverted by having the emails come from friends. There are no restrictions on sending mail on Linux, nor reading from the users address book assuming they use client-side mail. If they use webmail the same techniques will work as on Windows.
Some people might say, but Mike, it's hard to make a binary that works on all forms of Linux! In reality, it's not that hard. The basic loading/linking code and core libraries are the same across distributions. It's hard once you try to build real, interesting apps that provide GUIs and so on, but if you're willing to put in some testing (and modern malware is a professional operation, so why not) you can make the same binary work just fine on dozens of distros.
Other people might say that it's complicated to run binaries on Linux, because you have to set the +x bit. I'll ignore the fact that I think Linux isn't ever going to get 33% market share with the current way of distributing software ... suffice it to say, that once you convince a user that you're legitimate and that they want your eCard (that's how this malware spreads), you can just give them a command to copy/paste into the "Run Program" dialog box.
Once you're in, you want to do a few things. You want to download the rest of the trojan ... no problem with that ... maybe start sending mail ... again no problem ... what else? Maybe you want to drain the users bank account. The easiest way to do that is to install a browser extension that waits for the user to log in, and then scripts the web app. This has already been done on Windows/IE and isn't technically difficult - although it does require testing on the banks you want to target.
What else? Stealing cookies is popular. Yep, we can do that. Maybe popping up "unkillable ads". Yes, X will let you do this.
Next, you want to hide, to make yourself hard to get rid of. This is the part where people tend to assume Linux is more robust than Windows. Is it really? Well, firstly, you can do a decent job of hiding without root. To start with, try injecting yourself into a system process ... or start several copies of the same program, all of which watch each other and restart new copies if others are killed or paused. It exploits the fact that you can't send signals to groups of processes atomically. Adjust the users path in their startup scripts to let you override any binary you wish, and then use a user-mode rootkit technique to hide the fact that the file was modified. Or set yourself to startup in the KDE/GNOME config systems somehow (eg, as an invisible panel app).
What if you want to store stuff on disk, and hide those files? Doing it with a kernel rootkit is easy enough, but what about without having access to kernel space? One way to do it is ptrace every process that might be used to explore the filesystem - like shells. You can intercept the syscalls of these programs before they reach the kernel in that way, and thus make files "disappear" from the command line, from Nautilus/Konqueror, or whatever other programs you want to do. If you're worried about the ptrace
Re: (Score:2)
...suffice it to say, that once you convince a user that you're legitimate and that they want your eCard (that's how this malware spreads), you can just give them a command to copy/paste into the "Run Program" dialog box.
Your post seems predicated upon the assumption that the means of compromise is a trojan. Right now, that is not the common case, especially for bots. While there are more types of trojans out there, each compromises a fairly small number of boxes. Most boxes by number are still compromised by automated worms that have no user interaction component to them.
I think you're right that Linux is no more secure against trojans than Windows, maybe less so even, but you have to keep in mind that even if that is
Re: (Score:2)
Most Windows users (at least on XP) run as root. Most linux users don't run as root. That's a heck of a lot more secure, at least in terms of losing control over your computer rather than just losing your files.
Re: (Score:2)
Most Windows users (at least on XP) run as root. Most linux users don't run as root. That's a heck of a lot more secure, at least in terms of losing control over your computer rather than just losing your files
I was thinking of Vista, but assuming we're talking about WinXP, then in either case the bot has plenty of permission as the user to be malicious and send spam, participate in a DDoS, or steal user data. The one thing it can't do that it might want to is disable anti-virus. That is slightly harder on Linux or Vista than on WinXP, but once you're in it is just a matter of breaching one more layer with a local escalation, and those are not really uncommon on Linux (and absurdly common on Vista right now). O
Re: (Score:3, Insightful)
Well, I can't say that I have any hard facts to back up my opinion, but I've always assumed the exact opposite. I don't see *anything* in my router/firewall logs. Either the attacks aren't happening, or they're stopped by my ISP; either way, they're not compromising any PCs (and I'd expect the ISP to advertise the extra protection if they were doing it)
In contr
Re: (Score:2)
Social engineering works on the user, not on the operating system, and is likely to be about equally effective on any platform. The exception is when the social engineering relies on confusing the user. In this case, I'd see an advantage to MacOSX and Linux, which ask for permission a whole lot less than Windows (particularly Vista). A user who is used to clicking OK boxes is more vulnerable than one who is occasionally is asked to type a password for specific reasons.
In cases where social engineering
Re: (Score:2)
Re: (Score:1)
But of the 3, if they had equal market share I think OS-X would loose out the most, and get targeted the most. Linux users tend to be a more technical group and Windows users are used to dealing with viruses. So those two groups for different reasons don't get infected as much. But OS-X users tend to feel as secure as Linux, but don't always have the sk
Re: (Score:2)
1. Linux is server orientated, all processes are treated equal unless nice'd, that means that as my Linux 'puter gets loaded with malware processes I'd notice it lagging sooner or later; vs. Windows that is desktop orientated, my Vista machine can have SETI@home running both core at 100% and I don't notice it. Other Vista machines that are under-spec'd feel sluggish and lag at 100% idle; because all emphasi
Re: (Score:2)
It'd be nice if slashdot followed all 301 redirects for a page, then used the resulting URL in the comment.
Technobabble detector (Score:1)
"kernal" should have been a red flag.
Re: (Score:1)
1. Install Ad Block Plus (very small download, even with a 56k connection), and No Script (which is just a little bit bigger; yes, it's three or four times the size of Ad Block, yes, but that's only about a hundred kilobytes or so).
2. Go into the Preferences for Ad Block Plus.
3. Add filters for myminicity.*, dwarfurl.*, and anything else that redirects you to myminicity.
The pages still load, but they do so very quickly, and No Script then prevents them from runn
Re: (Score:1)
I think that if they managed to make a miniature city where everyone was into eating poop, and the more clicks, the more poop was eaten, then maybe *that* would be the worst slashdot trollspam ever.
Counter attack is required (Score:1, Interesting)
After all I am entitled to use reasonable force to protect my person. Why can't I use the electronic equivalent with these scum bags.
Sure it is a moving target but the key to smashing spam is to push up the marginal cost to the spammer.
Re:Counter attack is required (Score:4, Insightful)
Re: (Score:2)
Hmm good blackmail tactic tho.
Re: (Score:1)
Unfortunately the spammer/malware author usually doesn't use their own servers, pipes, routing equipment, etc...
It's usually hosted at some facility and your retaliation would more than likely harm other customers.
Same with home PCs. If you tried to take down my 8/1 Mb Comcast connection you might succeed if you have a faster connection. Or alternativel
Re: (Score:2)
Re: (Score:1)
Now, given the other machines are infected, you would indeed be a criminal yourself, as
Re: (Score:2)
Scary... (Score:1, Troll)
I know that this one is pretty dependant on Windows (not only is the easy target, because users, numbers and the "security" of the system/browser present there), but i bet that some in that development can be translated to unix/mac systems (as is the user the o
Re: (Score:2)
...but i bet that some in that development can be translated to unix/mac systems (as is the user the one that mainly installs it, think in i.e. when was corrupted the SquirrelMail repository, if someone send spams away to make people to download it before it gets catched, and that installs in fact a trojan with that functionality).
Just to clarify, while there are lots of different trojans including those for Mac/Linux and they are in the wild, trojans are still not he biggest threat. While there are more trojans than worms, worms still compromise more machines than trojans and worms that exploit network services or applications, with no user interaction, are still the most common cause of a compromise; especially for zombies in a botnet.
Re: (Score:1)
I have not heard of a worm causing serious problems in a while (some are still there, but not causing any real damage anymore). (Note, Storm Worm is NOT a worm, it is a trojan).
Trojans, click happy users, and some good social engineering seem to be the main way these botnets are keeping their sizes.
What worms have you heard of that are in the wild now causing problems?
Re: (Score:2)
Are you sure that worms are a bigger threat than trojans?
The numbers aren't in for 2007 yet. We'll probably see them mid-january. For 2006, however, most exploits were the result of worms with no user interaction by a significant margin. Maybe this is changing, but I doubt that has happened yet. A lot of security people tend to focus a lot on threats that might affect them, like their network of WinXP SP2 systems, and forget that there is still a large ecosystem of older Windows systems out there that make up the lion's share of boxes being compromised.
What worms have you heard of that are in the wild now causing problems?
Over
21st century war (Score:3, Insightful)
I can't help but think a lot of malware creators will get rich in the 21st century when governments pay them to attack countries they are at war with - either destroying their computer infrastructure, or acting as spies.
Re: (Score:1)
Command and Control Server (Score:3, Interesting)
Wouldn't their hosting provider and/or IP block owner not want to end up on blacklists and thus kick them off, thus cutting off all infected systems from further contact.
Re:Command and Control Server (Score:5, Informative)
And by using a wide open IRC server, of which there's plenty, it's virtually impossible to shut down the network. All the main controller has to do is connect to his "master" control channel periodically to send out commands, and the rest of the herding gets done by his deputies.
Re: (Score:2)
Now all of the clients are cut off from the master and have no way of connecting back.
Re: (Score:2)
You're right... when the IRC servers shut them out, you're safe. But they can't exactly IP ban every client that's infected with the virus.... there's far too many. The servers could block the channels, but how would they know they've got all of them? Granted, all they have to do is block the main control channel, but that would require actually watching the traffic... you have any idea how many logs they'd have to go through
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Better yet, add a timecode to the signature to prevent replay attacks. And write the malware to screw your system over if you try to change the clock.
Hey isn't that a book? (Score:2)
Re: (Score:1, Offtopic)
Re:the fix (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
There are getting more of them,
Its a good question