We have recently seen a large rise in traffic originating from the Pushdo Trojan and an increase in the number of customers coming to us for help in dealing with this botnet. This is not a guide on what to do if your computer has been infected (For that, download a good antivirus/ anti malware software). Instead, this is a PSA for anyone that is seeing Pushdo traffic across their website. While we at Distil Networks automatically mitigate the attacks originating from Pushdo against our customers, we wanted to share our insights to help those combating the attack on their own.
Why would you be seeing Pushdo traffic across your website? In fact, you are nothing more than an innocent pawn meant to serve as a diversion for a hidden global network. The writers of the Pushdo virus were very clever and rationalized that it was inevitable for their virus to get discovered. Once a security researcher found the virus, the first thing they would do would be to figure out who the virus is communicating with and what it’s saying. So to masquerade the communication and origins of Pushdo, its creators designed it to sends thousands of commands every minute to all sorts of completely random and unrelated websites. Buried deep in that torrent of commands is one tiny communication with its command and control center. While this may seem crude, it is quite effective in concealing the origins of Pushdo.
Now that you better understand, lets talk about some facts of the virus. It is not selective and targets anything from .edu domains to .com’s. Within our own network, we see most attacks happening across dictionary word domains such as example.com. This doesn’t mean it ignores all other domains or gTLD’s, but Pushdo does disproportionality target plain word domains. This suits the writers of Pushdo who don’t really care about requests made to other websites, rather they care that there’s enough of them to mask the occasional commands being sent out. What’s easier than [English word] dot com for the list?
Over the years, Pushdo has evolved greatly and its recent resurgence can be credited to the constant iterations meant to evade antivirus efforts. Pushdo was first seen over 6 years ago and was a very prolific virus in 2007. Security researchers were able to contain it then but recently it has made several new adaptations that have caused a widespread reinfection. We’ve seen hundreds of unique IP’s that have participated in the botnet and the majority of the requests come from consumer ISP’s. These IPs are very widely distributed making ACL actions impractical. We have also seen over 200 countries that are infected by the virus with the highest proliferation being in emerging countries such as Indonesia, Thailand, Mexico, and India making country blocks impractical. A breakdown by country follows:
So what can you do?
In the past, the virus was easier to detect because all TCP communications were sent as GET requests with no http headers attached to any of the requests. Now, the virus is much more sophisticated and cycles through a list of legitimate http headers making its communication look completely legitimate to webservers. We have identified over 200 user agents that the virus pretends to be, making it very difficult to filter out. The virus even pretends to be an iPad and iPhone, despite the fact that the virus only infects Windows computers. One recent adaptation that is new is that the majority of communication sent by Pushdo are no longer GET requests, but instead POST. Additionally, this request is made against the home directory of a domain, not any subpages. So this means as a webmaster, you may be able to limit some of the effects of the virus by dropping any POST that comes to the home directory.
Rate limiting can have a minimal impact on protecting your webserver, but because of the distributed nature of the attack, it will not be enough. Since most of the Pushdo attacks originate from emerging countries, you can also set country block rules in place to limit your exposure to the attack. Again, this won’t solve the problem completely but will significantly reduce the volume of the attack.
Another key indicator of the virus is that in general, the requests are made against the root domain, not any subdomain of the website. Meaning, Pushdo sends its request directly at example.com, not at www.example.com. Pushdo also does not obey any redirects. For the do-it-yourself webmasters, this means that you can start blocking traffic that sends multiple requests to your root domain without regard to redirects. Moreover, combining the previous rule, you can block traffic that sends POSTS directly to your root domain and home directory (example.com/).
One important note: you will not want to put in place any extended IP blocking rules. The Pushdo virus infects home computers on residential networks that do not have static IPs. This means that the IP you block today, will likely belong to a completely new and innocent person tomorrow. Blocking any IP for more than 24 hours will lead to legitimate traffic being blocked.
Hopefully this was helpful.
Interested in proactive protection against malicious bots like Pushdo? Sign Up for a no obligation free trial today.
N.B. This is how to remove the Pushdo virus and clean an infected computer: http://www.iss.net/security_center/reference/vuln/Trojan.Pushdo_Variants.html
About the AuthorFollow on Twitter More Content by Rami Essaid