We’ve all been there. Your scheduled scan displays a popup with text similar to
“A malicious file c:definatelyNotAVirus_Honest.exe has been detected on your computer”
On finding a malicious file some network administrators will even proactively submit suspicious files to multi-scanner online services such as “Virus Total” – which will scan the file with 40 or so different vendors and give the files detection results.
Notice the word that has been used four times above – file. One of the core modules of antivirus technology is based on scanning executable files – which is why Pushdo goes out of its way to avoid them whenever possible.
We’ve mentioned previously that Pushdo contains a lot of different sub-components, and that must mean lots of exes, dlls and sys files littering up the system, right? Wrong – in fact Pushdo only needs to write two files to disk and does everything possible to avoid touching the disk in any other way. To better understand – let’s step you through a standard Pushdo attack (keep an eye out for the amount of times it actually accesses the hard disk).
- A user gets lured to a malicious site triggering a series of exploits that injects the Pushdo installer directly into memory.
- Pushdo copies itself as a single file to the System directory.
- Right after this, and on every boot, it downloads other malware components – but keeps them in memory, never writing them to disk
- One of these malicious components downloads a kernel mode rootkit, which is installed as a device driver in the system.
For our less eagle-eyed readers parts 2 and 4 are the only times that a malicious file is written to disk, in other words the real time scanner “can’t touch” any of the other components.
With each windows process having 2GB of virtual memory space, actually scanning memory is incredibly time-consuming for an antivirus scanner, so much so that many do not even try.
So how can you protect against a threat like Pushdo? The answer is in a multi-layered defence approach such as that provided by Trend Micro’s Smart Protection Network – but more of that in our final article. Come back later this week for our penultimate piece – “Pushdo/Cutwail – Sniffing for the win”.
Previous Pushdo/Cutwail posts from this series can be read at following links :
Pushdo/Cutwail – The Art of Spamming (Part 1 of 5)
Pushdo/Cutwail – From Russia with Love (Part 2 of 5)