Evolving Pushdo - Mutant of the Future

Filed Under: Malware, SophosLabs

We've seen continued activity from the author of Pushdo this year, with new variants being pushed out on a regular basis, usually by spam.

One of the latest tricks we've seen them use is to use unusual API calls with the intention of them failing with particular error codes, and then feeding those error codes into some maths to generate the key which the Pushdo then uses to decrypt its executable payload.

Pushdo API Calculations

This sort of technique seems deliberately aimed at throwing off the majority of emulators, since it's unlikely that they would know to fail with exactly the right error codes all the time, which would then lead to the wrong decryption key being used, resulting in a garbled string of bytes instead of an embedded executable file.

It's also noteworthy that Mr Pushdo has changed the way he's structured his code - in the past a Pushdo Trojan would decrypt a file into memory and pass execution to it, then that file would drop two .sys files to disk and usually another executable to memory (all of these injected and dropped components were Pushu Trojans) ... this convoluted process of one file dropping another file dropping more files is described some more here, but it was obviously a little unwieldy and droppers within droppers inflates the size of malware code somewhat.

This may explain his current approach - recent Pushdos decrypt a file into memory as before, but this file is relatively small and doesn't carry other files around within its body - instead it contacts a remote IP address and downloads data that it splits up into files and drops to disk (usually to the Temp folder) or into memory (typically injecting it into svchost.exe). This means the original executable file he seeds out is smaller, and he can also change what files get downloaded and dropped or injected with greater ease.

Of course from our perspective though it's much the same - the file that gets dropped into memory and all the files that get downloaded are detected as Troj/Pushu-Gen.

It's clear Pushdo and Pushu will continue to evolve, not just from trends we've seen so far but also from clues left to us by the author - strings inside recent variants refer to corresponding debug symbol files with names including "Back to the Future", "Future Generation" and "Mutant of the Future". As with all malware authors, this one needs to get out more.

Mutant of the Future

You might like