Friday, September 7, 2012

Pushdo Trojan Still Recruiting Computers into Botnet, Shielding C&C Traffic

Trojan HorseA new variant of the Pushdo Trojan downloader is infecting computers with the Cutwail bot engine and transforming the infected system into an evil spam-spewing machine, according to the Dell SecureWorks Counter Threat Unit.

One of the interesting things about Pushdo is that it generates fake HTTP requests to an extensive list of legitimate websites in addition to requests made to its command & control servers.

“The purpose of these fake HTTP requests is to make Pushdo's command and control (C2) traffic, which also uses HTTP, blend in with legitimate traffic,” explained Brett Stone-Gross, a Dell SecureWorks Counter Threat Unit  researcher. “It used a similar technique in a previous variant that was first introduced around February 2010.”

Unfortunately, the amount of garbage HTTP requests generated by Pushdo bots often proved too much and resulted in sites being knocked offline. Stone-Gross wrote that website owners affected by Pushdo may filter out its fake requests by creating a web server rule to drop the traffic.

Pushdo's command & control servers are currently located at:

  • shanisoft.kz (69.175.71.98)

  • hijsoft.ru (78.46.77.46)


How to Keep Pushdo Off Your PC


Being that Pushdo is typically delivered via drive-by-downloads, users can avoid having their machine turned into a spam distributor by:

  • Keeping their operating system, web browser and any other third-party software installed on your PC fully patched and up-to-date.

  • Exercising caution when following hyperlinks (this especially rings true with links embedded in emails as the primary focus of the botnet is to send out malicious spam).

  •  Always running antivirus and keeping the virus definitions current.


Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.

No comments:

Post a Comment