Sophos

Download Windows 7 security - A great leap forward or business as usual?

« The niggling b’s: Another chapter in the SQL injection story World war III has started! US has invaded Iran! Click here to see the firsthand video! »

Siberia 2 - this time it’s personal

An update for those of you following the saga that is Pushdo (1, 2).

We’re still seeing unusual API calls, but recent variants have two slight variations on this theme. Firstly they check memory for the presence or absence of a “nop” instruction, partly in order to throw emulators even further off the scent. Secondly they’re using new offsets to pluck numbers directly from the operating system. The following example uses both of these tactics:

Pushdo calculations 4

These files are detected proactively as Troj/Pushdo-Gen, and the files it drops and injects are all detected as Troj/Pushu-Gen. In the latest variants we get more than usual of these layers, though looking at the debug symbol they use helps us anchor them as before: the dropper injects a sys file into memory (Install.pdb), which drops a second sys file to disk (protect.pdb), which injects a third sys file into memory (InnerDrv.pdb), which injects a fourth sys file into memory (Loader.pdb).

Each of the files in this chaotic chain has a chilly subtext similar to before, in a boring “sequel” fashion:

Pushdo Siberia2

Is “Siberia3″ next, or can we expect a spin-off perhaps? Stay tuned for further developments.

Posted on July 8th, 2008 by Richard Cohen, SophosLabs Canada
Filed under: Malware

Email this story to a friend   Digg   Reddit   Technorati   Slashdot   Facebook   Twitter   NewsVine   MySpace   Google   Live   Mixx   del.icio.us   StumbleUpon  

Download Windows 7 security - A great leap forward or business as usual?

Related posts