The author of Pushdo is still sending out new campaigns of his malware seeded in spam. I posted before about him using obscure APIs followed by GetLastError, so I thought I’d document some variations he’s used since then.
While still calling obscure APIs, he dropped the GetLastError, choosing to get the error values through a round-about system method instead:
Having dropped the direct calling of GetLastError, next came the dropping of directly calling the obscure APIs themselves – instead he chose to dispatch system calls directly by calling a hardcoded address in order to call SYSENTER with certain parameters (an approach which will limit the versions of Windows on which his code will run):
The most recent code has been similar to this, but calculating that hardcoded address on the fly in an attempt to obscure what it’s doing:
And while the debug names in his injected files used to look forward (“Back to the Future”, “Future Generation”, “Mutant of the Future”), they’re now looking in a different direction entirely – more specifically, to Siberia:
I’ll keep you all updated on where he looks next.