Pushdo - Analysis of a Modern Malware Distribution System

http://www.secureworks.com/research/threats/pushdo/

"The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the [421 different] malware loads from infecting users located in a particular country, or provides the ability to target a specific country or countries with a specific payload. Pushdo keeps track of the IP address of the victim, whether or not that person is an administrator on the computer, their primary hard drive serial number..., whether the filesystem is NTFS, how many times the victim system has executed a Pushdo variant, and the Windows OS version."

"As another anti-anti-malware function, Pushdo will look at the names of all running processes and compare them to the following list of anti-virus and personal firewall process names:

* avp.exe
* Armor2net.exe
* kpf4ss.exe
* blackd.exe
* PXAgent.exe
* ipfsrv.exe
* safensec.exe
* mcagent.exe
* mpsevh.exe
* mcuimgr.exe
* mcpromgr.exe
* mcusrmgr.exe
* mcupdmgr.exe
* mclogsrv.exe
* mctskshd.exe
* NPFSVICE.exe
* outpost.exe
* symlcsvc.exe
* sspfwtry2.exe
* vsmon.exe
* xcommsvr.exe
* vsserv.exe
* livesrv.exe
* drweb32w.exe
* nod32krn.exe
* PAVFNSVR.exe
* PAVSRV51.exe

Instead of killing off these processes, as many other trojans/viruses attempt to do, Pushdo merely reports back to the controller which ones are running, by appending "proc=" and a list of the matching process names to the HTTP request parameters. This type of reconaissance is useful when determining which anti-virus engines or firewalls are preventing the malware from running or phoning home, by their absence from the statistics. This way the Pushdo author doesn't have to maintain a test environment for each AV/firewall product."