Another Pushdo spamming
Today we have seen another large spamming of a downloading Trojan masquerading as something exciting (along the usual theme of a new, hot game or picture).
Happily, the creation is proactively blocked by Sophos products as Troj/Pushdo-Gen. Just as well, since we are seeing this in large numbers; for the past 24 hours, almost 4 out of every 5 infected emails we are seeing is due to Troj/Pushdo-Gen.
As with previous variants, the latest one drops and runs a file in memory, which then proceeds to install the other components involved in this attack.
These repeated mass-spammings used to occur each Wednesday. However, over the past few weeks we have seen the spammings occurring on other days as well. As other attacks move away from using email to deliver threats (e.g. Dorf), the group behind this attack are clearly having sufficient success to continue with it. Then again, maybe not. Maybe they are using other methods as well? We are seeing various malicious web sites attempting to use a variety of browser exploits in order to download and execute Troj/Pushdo-Gen on the victim machine:
As can be seen in this example, the attack site uses a malicious script (detected as Troj/Iffy-B) to attack the client with several exploits, all in an attempt to infect the victim with this Trojan.
Whatever the case, by continuing to monitor these web and email attacks, we can hopefully continue to maintain proactive detection and protect our customers.
Posted on September 24th, 2007 by Fraser Howard, SophosLabs UKFiled under: Malware
Windows 7 security - A great leap forward or business as usual?
