In this section

• Home
• Security
• SophosLabs blog
• 2008
• 05

• Analyses
• SophosLabs
• SophosLabs blog
• Spyware and adware
• Top 10 malware
• Hoaxes
• Technical papers
• Email notification
• Best practice
• White papers
• Web seminars
• Podcasts
• Hot topics

29 May 2008 22:27 GMT

Pushdo - Cold Calling

The author of Pushdo is still sending out new campaigns of his malware seeded in spam. I posted before about him using obscure APIs followed by GetLastError, so I thought I’d document some variations he’s used since then.

While still calling obscure APIs, he dropped the GetLastError, choosing to get the error values through a round-about system method instead:

Having dropped the direct calling of GetLastError, next came the dropping of directly calling the obscure APIs themselves - instead he chose to dispatch system calls directly by calling a hardcoded address in order to call SYSENTER with certain parameters (an approach which will limit the versions of Windows on which his code will run):

The most recent code has been similar to this, but calculating that hardcoded address on the fly in an attempt to obscure what it’s doing:

And while the debug names in his injected files used to look forward (”Back to the Future”, “Future Generation”, “Mutant of the Future”), they’re now looking in a different direction entirely - more specifically, to Siberia:

I’ll keep you all updated on where he looks next.

Richard Cohen, SophosLabs Canada

• Bookmark with del.icio.us
• Submit this story to digg
• Submit this story to slashdot