Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: Pushdo

Wednesday, December 19, 2007

Pushdo - Web Based Malware as Usual

Interesting assessment, especially the explanation of the GET variables, however, such descriptive use of POST variables to a malware's C&C server have been around for the last couple of years. What has logically changed is the added layer of obfuscation and complexity to make it hard to assess what does such a URL actually mean :

"The malware to be downloaded by Pushdo depends on the value following the "s-underscore" part of the URL. The Pushdo controller is preloaded with multiple executable files - the one we looked at contained 421 different malware samples ready to be delivered. The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the malware loads from infecting users located in a particular country, or provides the ability to target a specfic country or countries with a specific payload."

This is an excerpt from a previous post on "Botnet Communication Platforms" including various graphs courtesy of botnet masters circa 2004/2005 :

"The possiblities with PHP and MySQL in respect to flexibility of the statistics, layered encryption and tunneling, and most importantly, decentralizing the command even improving authentication with port knocking are countless. Besides, with all the buzz of botnets continuing to use IRC, it's a rather logical move for botnet masters to shift to other platforms, where communicating in between HTTP's noise improves their chance of remaining undetected. Rather ironic, the author warns of possible SQL injection vulnerabilities in the botnet's command panel."

Here're some C&C IPs related to Pushdo :

208.66.195.71

208.66.194.242

66.246.252.215

66.246.252.213

66.246.72.173

67.18.114.98

74.53.42.34

74.53.42.61

talkely.com

Talkely.com (217.14.132.178) is also responding to arenatalk.net and worldtalk.net. There's also another bogus message next to the one mentioned in SecureWorks analysis - and it's "Under Construction Try google".

Related posts on Web Based Malware :

The Nuclear Malware Kit

The Cyber Bot

The Black Sun Bot

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Wednesday, December 19, 2007

Pushdo - Web Based Malware as Usual

No comments:

Post a Comment