MSRT February – When Push Comes to Shove

This month we add another bot family to MSRT – Win32/Pushbot. Pushbot is, in many ways, an “old school” bot. It is controlled through IRC, it can distribute itself through several different channels and its source code is more or less open (for those who mix in certain circles). Like Win32/Rbot, Pushbot isn’t one piece of malware that is updated and maintained by one group of malware writers, but rather a collection of malicious programs created by different people based on a common base of source code. The core code of Pushbot is based on something called Reptile, which dates back to 2005. Reptile, in turn, appears to have been based on Win32/Sdbot, just as Win32/Rbot was.
Because they are created and released by different people, the functionality can vary from one instance to the next; however, the basic features are universal. They are all IRC bots at heart, although each may be controlled through a different IRC server. They all spread in one way or another. Spreading via instant messaging applications such as AIM and Windows Live Messenger was one of the defining features of the Pushbot family, but many recent variants have this functionality disabled, i.e. the code is present in the malware, but never executed. Like other recent MSRT additions Hamweq and Rimecud, current Pushbots copy themselves to removable drives along with an autorun.inf file to attempt to launch the malware when the drive is connected to another machine. As David mentioned in his Hamweq blog, Windows 7 effectively ignores autorun.inf entries for removable drives apart from CDs and DVDs. Follow these instructions to update earlier versions of Windows to behave the same way.
Pushbot’s raison d'être is the same as most bots – to control as many machines as possible. This control is mostly exploited by instructing infected machines to download other malware, which could be anything from password stealers to rogue security software. Some Pushbot variants can also be commanded to steal password information themselves, or launch distributed denial of service attacks.

-Hamish O’Dea

Comments (0)

Skip to main content