A few days ago, a great analysis from SecureWorks on the Pushdo Trojan was published. The group behind this Trojan is none other than the Celebrity Gang, which we have commented on before as being a major spam player. Our observations indicate that this gang’s botnet is responsible for over 20% of spam at present.
Several interesting points came out of this analysis which illustrates the sophistication of this malware distribution mechanism:
- The Pushdo Trojan itself is a downloader that seeks to download and install additional components from a remote server.
- A custom HTTP protocol is used for communication instead of IRC.
- The server distributes a number of malicious files, including spambots and password stealers.
- The system is country ‘aware’, potentially limiting files to certain countries or groups of countries.
- The malware keeps tracks of the computer’s IP address, hard drive serial number, OS version, and how many times a Pushdo variant has been run, which presumably is an anti-malware-analysis feature.
- It also checks which anti-virus and firewall products are running. It doesn’t disable them, it just notes the processes and reports back to the server.
If the amount of spam this botnet is responsible for is anything to go by, the Pushdo/Celebrity gang has indeed succeeded in creating a sizeable botnet.
