Increased Pushdo aggression

Recently we have hit another twist in the PPP saga, and I am not talking point-to-point protocols. Instead I am referring to the Pushdo Prevention Problem. As regular readers will know, Pushdo is a family of Trojans that has become quite established now. The Trojans have been relentlessly mass-spammed to users over many months [1,2,3].

Historically, Sophos have coped very well with Pushdo, proactively detecting virtually all new variants. There have been occasional misses, forcing us to update our generic detections, but on the whole the vast bulk have been detected without need for an update. However, this week has seen some new tricks from the Pushdo authors which have successfully broken our detections. So we will work on updating those generics, perhaps looking for a new approach in addition which might be more suited to the latest variants. The challenge of proactive detections, the game of cat and mouse between security vendor and malware author, can become quite compelling.

It is not all negative however. Despite the latest spammed out executable not being proactively detected, customers are still protected:

  • Sophos anti-spam products successfully block the spammed out message. (Pushdo is attached to the typically-themed email within a ZIP archive.)
    [Example Pushdo spam message]
  • If executed on the victim machine, the dropped files are proactively detected as Troj/Pushu-Gen:
    [Pushu-Gen detection on dropped SYS file]

And, hopefully, the updates to the generic detections will once again restore proactive detection on future waves of Pushdo variants that we will almost certainly see.