Pushdo

Aliases

• Cutwail
• Pushu
• Pandex
  

Comments

The multi-faceted Pushdo botnet has been around since at least mid 2007. It is a major spammer, and sends a wide range of campaigns promoting pharmaceuticals, designer ripoffs, software and more, probably reflecting its multiple customers.  It is also very active in distributing malware. It sends spam emails with malicious attachments, usually within a Zip file, with amazing regularity. It used to use celebritry names, such as Angelina Jolie, as hooks to entice users to open the attachment.  More recently it has switched to fake invoices.  Pushdo also sends malicious campaigns exploiting social networking brands, such as Facebook.  Last but not least, it is active in distributing phishing emails targeting customers from a wide range of financial institutions. Its somewhat slower than some of the more recent spambots at sending spam.

Features

• Reports to C&C server on port 80, encrypted HTTP
• Performs DNS lookups to send spam
  
• Uses templates
  

Spamming Rate

• 4500 messages per hour per bot

Command and Control

From the samples that we have examined, it connects to the following IP address to connect to its control server:

• 208.66.192.15 (McColo) - Pre-McColo samples
• 208.66.195.71(McColo) - Pre-McColo samples
• 208.66.194.232(McColo) - Pre-McColo samples
• 66.232.113.80
• 69.147.239.106
• 216.195.58.114
• 94.75.233.162
  

Pushdo connects to its control server using HTTP port 80 using an encrypted tunnel. The sample that we examined uses the following HTTP request:

"GET /40E8001430303030303030303030303030303030303031306C0000003C6600000000760000044CEB0005308899A3AE HTTP/1.0"

It also listens on a random UDP port for commands from its control server.

Malware Behaviour on Host

Pushdo is a trojan that is capable of downloading arbitrary files from a random website. Most of the time the download file is saved in Windows temporary folder with filename format "BNx.tmp", where x is any number from 0-9. The downloaded file is an executable trojan and responsible for the spamming routine.

Pushdo drops a DLL file on the affected system, depending on the variant:

• %Systemroot%\System32\WinNt32.dll
• %Systemroot%\System32\WLCtrl32.dll

A rootkit driver is also dropped in Windows Driver folder (c:\Windows\system32\drivers). This driver will hook functions from ntoskrnl.exe and cloak the action done by the dropped DLL file.

The DLL file creates a fake process of SVCHOST.EXE (filepath:  C:\WINDOWS\system32\svchost.exe), and injects its code to that process. It may also drop a Windows Cab file i.e. "C:\WINDOWS\system32\WinData.cab", this contains a copy of the DLL file.

The malware sets the following registry to execute itself as a Winlogin notification:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32
• "DLLName"="WinNt32.dll"
• "StartShell"="WLEventStartShell"
• "Impersonate"=dword:00000000
• "Asynchronous"=dword:00000000
• "ID"=dword:0000003c (this is a auto generated ID number)

Pushdo registers the rootkit module as a service, this will autoexecute itself at Windows startup:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Qag41 (assuming the random file name of the driver it drop is  "Qag41")
• "Type" = dword:00000001
• "Start" = dword:00000000
• "ErrorControl" = dword:00000000
• "ImagePath" = "System32\Drivers\Qag41.sys"
• "Group" = "SCSI Class"

It creates the following mutex to ensure that only one process of itself is running on an infected system:

• "gangrena"
• "germeona"
• "garbaga"
• "zone_dns_mutex"
• "zone_zdc_mutex"
• "Halflifelifedasd324"
• "wljs903111mutaga"
  
• "memoryallocblock"
• "crypt32LogoffPortEvent"
• "MACLinkForever"
• "mc56i56i11gurtaga"
  

Pushdo connects to a list of smtp servers to send test emails before proceeding to its spamming routine:

• mxs.mail.ru
• gmail-smtp-in.l.google.com
• gsmtp183.google.com
• in1.smtp.messagingengine.com
• mail7.digitalwaves.co.nz

Notably, a string in the malware body can be found:

• Poshel-ka ti na hui drug aver
• reva gurd iuh an it ak-lehsoP