Inside a Modern Malware Distribution System

SecureWorks anti-malware guru Joe Stewart is not one to be intimidated by advances in online crime activity. But, when he reversed the backend code associated with the Pushdo Trojan downloader, he discovered a modern malware distribution system fitted with complex tracking mechanisms and hiding techniques—another clear sign that virus fighters are up against a clever and sophisticated enemy.

Stewart, a veteran reverse-engineer who spends the majority of his time breaking apart malware samples, said the control server that powers Pushdo is preloaded with about 421 different malware executables—waiting to be delivered to infected Windows machines.

The malware itself uses electronic greeting card lures—spammed to e-mail inboxes—to trick Windows users into launching the executable.

Once the Trojan is executed, Pushdo immediately reports back to an IP address embedded in the code and connects to a server that pretends to be an Apache Web server and listens on TCP port 80.