Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Pushdo Trojan Infects 11,000 Systems In 24 Hours

Unknown Lamer posted about 2 months ago | from the bots-everywhere dept.

Botnet 32

An anonymous reader writes Bitdefender has discovered that a new variant of the Trojan component, Pushdo, has emerged. 77 machines have been infected in the UK via the botnet in the past 24 hours, with more than 11,000 infections reported worldwide in the same period. The countries most affected so far by the Pushdo variant are India, Vietnam and Turkey. Since Pushdo has resurfaced, the public and private keys used to protect the communication between the bots and the Command and Control Servers have been changed, but the communication protocol remains the same.

cancel ×

32 comments

Sorry! There are no comments related to the filter you selected.

Missing information (3, Insightful)

Anonymous Coward | about 2 months ago | (#47474931)

What operating system does this software run on?

Re:Missing information (3, Interesting)

just_another_sean (919159) | about 2 months ago | (#47474953)

This is what I was wondering... AFAICT the first link is /.'ed and the second link doesn't go in to any technical details. I'm assuming Windows until I hear otherwise but the geographic mix is interesting; are these Windows XP boxes? Is the fact that the infections are concentrated in India and Asia an indication of the many people there that have not upgraded?

I'd never heard of Pushdo before this, anyone else know more about it?

Re:Missing information (1)

Anonymous Coward | about 2 months ago | (#47474999)

These are systems which were previously infected with Pushdo, so yes, some of them are XP.

Re: Missing information (1)

bill_mcgonigle (4333) | about 2 months ago | (#47475043)

Google cache has the first link but it also does not mention platforms!

Re:Missing information (0)

Anonymous Coward | about 2 months ago | (#47479611)

It's got to be Windows XP since that was the last unsecure version of Windows.

Re:Missing information (0, Insightful)

Anonymous Coward | about 2 months ago | (#47475161)

Well it runs on Windows obviously. With the number of reported infections, the speed with which it happened, and the fact that it is a Trojan (meaning you need to trick the user into running it), it can only be Windows. There wouldn't be 11,000 Linux users tricked into running it in 24 hours even if it would run correctly on all their distros because we know Linux users are too smart to run Trojans. Hell, there probably weren't 11,000 Linux machines with users sitting in front of them to BE tricked into running it in that amount of time. With Macs - well every Mac user will tell you they don't get Trojans or viruses. That leaves Windows. Lots of doofuses to be tricked there.

Re:Missing information (1)

jc42 (318812) | about 2 months ago | (#47475699)

Well it runs on Windows obviously. With the number of reported infections, the speed with which it happened, and the fact that it is a Trojan (meaning you need to trick the user into running it), it can only be Windows. There wouldn't be 11,000 Linux users tricked into running it in 24 hours even if it would run correctly on all their distros because we know Linux users are too smart to run Trojans. Hell, there probably weren't 11,000 Linux machines with users sitting in front of them to BE tricked into running it in that amount of time. With Macs - well every Mac user will tell you they don't get Trojans or viruses. That leaves Windows. Lots of doofuses to be tricked there.

While I can appreciate your sarcasm, I also followed the summary's first link to the report at labs.bitdefender.com, and thought it was interesting that in the "Related posts" in the column at the right, there's a Tags section, and the very first is "android" in a large font. There's no instance of "window" or "micro" or "soft" on the page. The obvious inference to a reader is "Hmmm ... Can this actually be a major infestation on android, i.e., linux?"

But no, this list of "Related ... Tags" appears to be some sort of subtle redirection or FUD or something, because as others have already reported here, this is indeed yet another MS Windows trojan infestation. The report page lists keywords including "android", "bitcoin", "facebook", "etc, but doesn't mention MS or Windows as related.

Anyone have any idea why the folks at bitdefender might do things this way?

Re: Missing information (0)

Anonymous Coward | about 2 months ago | (#47476391)

Determining what is "related" is not an easy thing to do, programmatically speaking.

Re: Missing information (1)

jc42 (318812) | about a month ago | (#47483185)

Determining what is "related" is not an easy thing to do, programmatically speaking.

It's especially difficult for the Media, since for most of them, "computer", "IBM machine", "Microsoft" and "Windows" are synonyms. A few have heard of things like unix and linux, and some even use a mac. But hose gadgets are never called "computers", so they're not relevant to any news story dealing with computers. In common speech, saying that some new virus infects "computers" is all that needs to be said, since there are no brand names in the computer industry, only IBM and Microsoft (and maybe Apple, if that's a brand name).

I have seen a number of instances where some geeks will try to bring up non-IBM/Microsoft systems, and the media folks are clearly baffled by why people would try to change the subject, when the topic is clearly computers, not those other electronic thingies. I remember back in the early 1980s, when IBM first introduced their new DOS machines, and the reaction of lots of business and media people was "Finally there's a desktop computer." They didn't see any need to mention the brand name, because computers didn't have brand names. (The more knowledgeable did know that computers actually do have brand names, but since there was only one, it was a waste of time and page space to mention it.)

Re:Missing information (0)

Anonymous Coward | about 2 months ago | (#47475873)

FYI - You don't always need to trick someone into installing malware.

Re:Missing information (1)

tlhIngan (30335) | about 2 months ago | (#47476433)

Well it runs on Windows obviously. With the number of reported infections, the speed with which it happened, and the fact that it is a Trojan (meaning you need to trick the user into running it), it can only be Windows. There wouldn't be 11,000 Linux users tricked into running it in 24 hours even if it would run correctly on all their distros because we know Linux users are too smart to run Trojans. Hell, there probably weren't 11,000 Linux machines with users sitting in front of them to BE tricked into running it in that amount of time. With Macs - well every Mac user will tell you they don't get Trojans or viruses. That leaves Windows. Lots of doofuses to be tricked there.

Well, it's easy to trick users into running questionable binaries. I mean, all you need to do is call it a crack or keygen for an app, rename it a few million times to cover the popular apps, movies and other content, and you're done.

Hell, those "download helpers" that file lockers sometimes provide? Guess what!

And most malware these days are Trojans. It's a lot easier to trick a user than to try to find a vulnerability in the OS. Even Windows is far harder to break into. Hell, good malware is userspace nowadays to avoid running into UAC dialogs.

Re:Missing information (3, Insightful)

grcumb (781340) | about 2 months ago | (#47478863)

Well it runs on Windows obviously. With the number of reported infections, the speed with which it happened, and the fact that it is a Trojan (meaning you need to trick the user into running it), it can only be Windows.

This propagation rate is positively tiny. Honestly, I don't know why it's even part of the headline. For context, this paper (PDF, sorry) [thehackademy.net] shows Code Red infecting over 500,000 machines in an hour.

If 11,000 machines in a day is an event, then we should all be sitting back and breathing a sigh of relief that the bad old days are over....

(Not that I believe that they are. I just don't see any reason for the breathless headline.)

Re:Missing information (0)

Anonymous Coward | about 2 months ago | (#47478893)

Well it runs on Windows obviously. With the number of reported infections, the speed with which it happened, and the fact that it is a Trojan (meaning you need to trick the user into running it), it can only be Windows. There wouldn't be 11,000 Linux users

FTFY!

Re:Missing information (2)

mspohr (589790) | about 2 months ago | (#47475541)

We always assume Windows (to the point where most articles don't even mention it) and that is true again in this case.
It is useful to know which versions of Windows:
Systems affected:

The Pushdo trojan malware affects the following systems:

        Windows 2003
        Windows XP
        Windows 2000
        Windows NT
        Windows 98
        Windows 95

Re:Missing information (3, Insightful)

operagost (62405) | about 2 months ago | (#47477105)

So basically, all EOL systems that have no business being connected to a network except for 2003, which also shouldn't be connected unless it has SP2 and all security patches.

Re:Missing information (-1)

Anonymous Coward | about 2 months ago | (#47477163)

> I don't read your sig. Don't waste time reading mine. Disable sigs.

Don't tell me what to do, asshole. To each their own. Or is that concept to tough for you?

11k...? (1)

Ceriel Nosforit (682174) | about 2 months ago | (#47474933)

I just don't understand how this is worth a headline on Slashdot. The targeted population centers alone are so vast and connected that 11k is a pittance. The common flu probably has a greater influence there.

Re:11k...? (1)

zephvark (1812804) | about 2 months ago | (#47475107)

Yup. Someone sneezed, everybody panic! ...this is not news.

Is this a ZeuS variant? (2)

Joe Gillian (3683399) | about 2 months ago | (#47474989)

The way the article describes Pushdo, it sounds a lot like ZeuS - they use practically the same methods of operation (DGA to generate random domain names, fast-flux to stop anyone shutting down the C&C servers) and it seems that like ZeuS, Pushdo started from an initial codebase and was changed multiple times after being shut down.

Re:Is this a ZeuS variant? (3)

Bogdan Botezatu (3413511) | about 2 months ago | (#47475099)

It's not a Zeus variant. It's world's largest spambot ever (72bn messages per day). The figures show the old bots getting upgraded to the new variant.

DGA using bots can't affect me: Why? (0)

Anonymous Coward | about 2 months ago | (#47487575)

This - FastFlux &/or Dynamic DNS utilizing botnets FAIL completely against it (+ can't communicate "back to HQ" either even IF/WHEN you are infested) -> http://it.slashdot.org/comment... [slashdot.org]

Courtesy of "yours truly", gratis (no strings attached ala tracking, malicious code, etc., for absolute 100% free) - why? It's doing the right thing by myself, others, & just in general, since I could - that's good enough reason for me & IF I am 'wrong'? Then, I don't WANT to be "right"... pretty simple.

It just works!

Simply since hosts files use host-domain names to operate blocking off such threats from even getting to you in the 1st place - ala "what you can't touch, can't touch you" allowing YOU complete local FAST control of that as well - bonus!

(Yes, they work, & even vs. massively dynamically generated ones, which sources in the security community supply & yes, that I add (or my 12 sources in the security community to), ala GarWarner from Malcovery supplying them freely as he did to all of us here on /. just the other day, regarding GameOver + CryptoLocker even if you follow his links deep enough -> http://it.slashdot.org/comment... [slashdot.org]

* I thanked and yes, COMPLIMENTED him on his fine efforts, hard work, & knowledge as well - he deserves it.

I use ZeusTracker as a source for that, since it has many variants (GameOver, IceIX, Citadel, & of course "base ZBot") - per that article's subject matter.

APK

P.S.=> It's all "fine & dandy" that the US law enforcement tries protecting us vs. that (by mandating ISP's remove those domains from DNS servers resolving them, OR, even taking over servers that are C&C in the US, or routing them thru THEIR servers for monitoring them for FULL shutdown) here in the United States, but I don't take chances & add them to my hosts file via my program, which of course, can help OTHERS AROUND THE PLANET not afforded such protections by their authorities, as well... apk

Pushdo/Cutail C&C serverlist (avast) (0)

Anonymous Coward | about 2 months ago | (#47487669)

To go along with using what I wrote originally in regards to hosts files efficacy vs. FastFlux + DynDNS botnets (& a lot more in the way of malicious threats online + bandwidth sapping advertisements & FAR more) -> http://it.slashdot.org/comment... [slashdot.org]

APK

P.S.=> May not be "absolutely current" (as to the Domain Generating Algorithm used), but THOSE come out from the security community eventually, ala GarWarner of Malcovery helping us out here on /. the other day in fact, vs. GameOver (a ZBot/Zeus variant) & even CryptoLocker's many, Many, MANY 1,000s of nodes/endpoints + C&C Servers, here:

http://it.slashdot.org/comment... [slashdot.org]

However - the FINE AVAST ARTICLE from 2013 lists the KEY C&C servers it uses (200++ approximately) here:

http://blog.avast.com/2013/06/... [avast.com]

Thus, you use that data for "chopping it off @ the roots" for commands/instructions to infested enslaved systems, (effectively NULLIFYING it via host-domain name usage which FastFlux &/or Dynamic DNS using botnets ARE dependent on...)

... apk

Pushdo Trojan Infects 11,000 WINDOWSES In 24 Hours (-1)

Anonymous Coward | about 2 months ago | (#47475141)

Fixed.

Not enough people use Linux (0)

Anonymous Coward | about 2 months ago | (#47537723)

To justify attacking it as much as Windows on PC desktops - period!

See (& you'd KNOW this if you weren't some newbie): The MORE an OS is used, on ANY given hardware platform, the more it will be attacked - fact! I've seen it decades before, on DOS, & that's how I KNOW that is how it really is...

What shows that for Linux though? Android!

ANDROID's being exploited DAILY & yes, it IS a Linux (using a Linux core, which surely isn't MacOS X/IOS or Windows of any type either) variant.

APK

P.S.=> You noob shill FOOLS make me laugh with your utter b.s. & yes, you ARE "noobz" with your nigh-constant b.s. FUD you spouted here of "Linux = Secure & Windows != Secure" crap, & for coming up on 2++ decades here on /. too, no less is FALLING APART rapidly!

How/why? See above!

Yes - Your "precious Linux" IS not invulnerable, period!

Which yes, as far as Linux goes? Yes, I like & use(d) it too - but I went back to Windows due to better hardware driver availability + more programs for my purposes that are available on Windows but NOT on Linux!

(However I do *NOT* like your bullshit you all spouted here which my proofs above toss into the shitter easily along with "your kind" with it as well)

Yes: Linux IS being attacked, HUGELY, & where it "rules" on smartphones as the hardware platform (unfortunately, with a STUPID Java/Dalvik front-end that opens it up MORE to attack & exploit, which it has been because of that & it is NOT "invulnerable", proof's above)... apk

No-Ip (2)

Curunir_wolf (588405) | about 2 months ago | (#47476353)

Just shutdown No-IP servers. That should fix it.

I already do, albeit locally (so can you)... apk (0)

Anonymous Coward | about 2 months ago | (#47487593)

This does the trick for you, on YOUR system locally, giving YOU complete control too -> http://it.slashdot.org/comment... [slashdot.org]

* It just works & especially vs. FastFlux &/or Dynamic DNS using botnets (the most advanced + dangerous design there is, but they FAIL vs. hosts files users that populate against their mechanics, totally...)

FACT - & it gets its data for doing so from 12 reputable + reliable sources for it in the security community itself that monitor such threats...

APK

P.S.=> Enjoy - should you elect to use it (it's free, works, & does the job BETTER than any single browser addon under the sun + even shores up DNS redirect issues - bonus!)... apk

List of Pushdo/Cutwail C&C servers (avast) (0)

Anonymous Coward | about 2 months ago | (#47487663)

To go along with using what I wrote originally in regards to hosts files efficacy vs. FastFlux + DynDNS botnets (& a lot more in the way of malicious threats online + bandwidth sapping advertisements & FAR more) -> http://it.slashdot.org/comment... [slashdot.org]

APK

P.S.=> May not be "absolutely current" (as to the Domain Generating Algorithm used), but THOSE come out from the security community eventually, ala GarWarner of Malcovery helping us out here on /. the other day in fact, vs. GameOver (a ZBot/Zeus variant) & even CryptoLocker's many, Many, MANY 1,000s of nodes/endpoints + C&C Servers, here:

http://it.slashdot.org/comment... [slashdot.org]

However - the FINE AVAST ARTICLE from 2013 lists the KEY C&C servers it uses (200++ approximately) here:

http://blog.avast.com/2013/06/... [avast.com]

Thus, you use that data for "chopping it off @ the roots" for commands/instructions to infested enslaved systems, (effectively NULLIFYING it via host-domain name usage which FastFlux &/or Dynamic DNS using botnets ARE dependent on...)

... apk

Country least affected... (2)

operagost (62405) | about 2 months ago | (#47476939)

North Korea is least affected, due to their "Don't let anyone have computers, well they don't have electricity anyway" security policy.

Okay so a bitdefender ad ? What's the Vector? (1)

Virtucon (127420) | about 2 months ago | (#47476993)

Is this distributed by E-Mail, a bug in Windows? IE, Firefox etc.?

Just use Linux. (1)

stooo (2202012) | about 2 months ago | (#47480855)

Just use Linux.

Pushdo (or ANY botnet) can't affect me (0)

Anonymous Coward | about 2 months ago | (#47487565)

OR any users of my program (which adds more speed, security, reliability, & even anonymity PLUS shores up DNS redirect security issues (bonus)):

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?o... [start64.com]

(Details of benefits in link)

Summary:

---

A.) Hosts do more than:

1.) AdBlock ("souled-out" 2 Google/Crippled by default)
2.) Ghostery (Advertiser owned) - "Fox guards henhouse"
3.) Request Policy -> http://yro.slashdot.org/commen... [slashdot.org]

B.) Hosts add reliability vs. downed/redirected dns (& overcome redirects on sites, /. beta as an example).

C.) Hosts secure vs. malicious domains too -> http://tech.slashdot.org/comme... [slashdot.org] w/ less added "moving parts" complexity/room 4 breakdown,

D.) Hosts files yield more:

1.) Speed (adblock & hardcodes fav sites - faster than remote dns)
2.) Security (vs. malicious domains serving malcontent + block spam/phish & trackers)
3.) Reliability (vs. downed or Kaminsky redirect vulnerable dns, 99% = unpatched vs. it & worst @ isp level + weak vs Fastflux + dynamic dns botnets)
4.) Anonymity (vs. dns request logs + dnsbl's).

---

* Hosts do more w/ less (1 file) @ faster levels (ring 0) vs redundant inefficient addons (slowing slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ os, & 1st net resolver queried w\ 45++ yrs.of optimization).

* Addons = more complex + slow browsers in message passing (use a few concurrently & see) & are nullified by native browser methods - It's how Clarityray is destroying Adblock.

* Addons slowup slower usermode browsers layering on more - & bloat RAM consumption too + hugely excessive cpu use (4++gb extra in FireFox https://blog.mozilla.org/nneth... [mozilla.org] )

Work w/ a native kernelmode part - hosts files (An integrated part of the ip stack)

APK

P.S.=> "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"

...apk

List of Pushdo C&C servers (for those interest (0)

Anonymous Coward | about 2 months ago | (#47487659)

To go along with using what I wrote originally in regards to hosts files efficacy vs. FastFlux + DynDNS botnets (& a lot more in the way of malicious threats online + bandwidth sapping advertisements & FAR more) -> http://it.slashdot.org/comment... [slashdot.org]

APK

P.S.=> May not be "absolutely current" (as to the Domain Generating Algorithm used), but THOSE come out from the security community eventually, ala GarWarner of Malcovery helping us out here on /. the other day in fact, vs. GameOver (a ZBot/Zeus variant) & even CryptoLocker's many, Many, MANY 1,000s of nodes/endpoints + C&C Servers, here:

http://it.slashdot.org/comment... [slashdot.org]

However - the FINE AVAST ARTICLE from 2013 lists the KEY C&C servers it uses (200++ approximately) here:

http://blog.avast.com/2013/06/... [avast.com]

Thus, you use that data for "chopping it off @ the roots" for commands/instructions to infested enslaved systems, (effectively NULLIFYING it via host-domain name usage which FastFlux &/or Dynamic DNS using botnets ARE dependent on...)

... apk

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>