The Pushdo Problem
Recently we’ve seen an awful lot of spam aimed at spreading Pushdo Trojans, something we mentioned a few days ago. In fact in the last week we’ve seen at least 5 extremely aggressive campaigns, each containing new variants of the Trojans.
The author keeps changing elements of his code each time he spams out a new variant, in an attempt to break as much generic detection as possible. His tricks so far have included adding junk instructions to the code, deliberately changing the starting bytes, encrypting portions of his strings and code, generally reordering and restructuring his functionality, and changing the way he performs calls to his core API functions (for example loading some or all of them dynamically, and trying to hide the way he does so).
Flipping back and forth between techniques like these can make it very difficult to detect this sort of file proactively, and it’s something that the Dorf author is very aware of as well, which is why we sometimes update our generic Troj/Pushdo-Gen identity. In particular though I was pleased that we caught both Thursday and Friday’s campaigns before they’d even started, not least since it seems that we were one of the few vendors ahead of the game on Thursday, and the only vendor to catch Friday’s run proactively.
So what exactly do these ever-changing Trojans attempt to do? Basically they’re just glorified droppers, decrypting another file and running it directly in memory. Along the way they also employ more methods to try to evade detection, including starting new dummy threads in suspended states, then changing them to point to real code as the original code sits in an infinite loop, and shifting control to the decrypted file using the slightly unusual approach of directly modifying the system’s Process Entry Block before creating a new thread to the decrypted code.
This dropped file is a member of the Troj/Pushu-Gen family of Trojans, a family that emerged several months before the Pushdo droppers. This new file in turn attempts to drop more files, though the number and the naming depends on what operating system and file system the Trojan finds. At most two are dropped as system files to provide stealthing for the Trojan and make sure it’s always running, while the third is injected directly into Internet Explorer in order to download and execute more files. All three are detected as Troj/Pushu-Gen, though at this time detection for the four components by many other AV companies is still somewhat patchy.
How many more times will the campaigns change, and will we have to update our proactive detection again? Only time will tell.
Posted on September 29th, 2007 by Richard Cohen, SophosLabs CanadaFiled under: Malware
Windows 7 security - A great leap forward or business as usual?
