14 DAY TRIAL // A free Microsoft security solution designed to tackle only specific malicious code examples has been updated to take on a worm with botnet building capabilities. The February 2010 refresh of the Malicious Software Removal Tool, coinciding with this month’s security bulletin releases which patched 26 vulnerabilities across Windows and Office, is not capable of detecting and removing infections produced by Win32/Pushbot. Win32/Pushbot is a bot family that can compromise machines and allow attackers to take over infected PCs which they can control through IRC.
“Like Win32/Rbot, Pushbot isn’t one piece of malware that is updated and maintained by one group of malware writers, but rather a collection of malicious programs created by different people based on a common base of source code. The core code of Pushbot is based on something called Reptile, which dates back to 2005. Reptile, in turn, appears to have been based on Win32/Sdbot, just as Win32/Rbot was,” revealed Hamish O’Dea, from the Microsoft Malware Protection Center.
Pushbot has been created with the sole purpose of harvesting zombie computers which bit owners can then leverage for a variety of purposes. “This control is mostly exploited by instructing infected machines to download other malware, which could be anything from password stealers to rogue security software. Some Pushbot variants can also be commanded to steal password information themselves, or launch distributed denial of service attacks,” O’Dea added.
According to Microsoft, Pushbot is capable of spreading itself through instant messaging clients, such as AIM and Windows Live Messenger. However, some attackers have disabled this feature in their copies of Pushbot, and are relying instead on the malware’s ability to infect removable drives.
“Current Pushbots copy themselves to removable drives along with an autorun.inf file to attempt to launch the malware when the drive is connected to another machine. As David mentioned in his Hamweq blog, Windows 7 effectively ignores autorun.inf entries for removable drives apart from CDs and DVDs. Follow these instructions to update earlier versions of Windows to behave the same way,” O’Dea stated.
Malicious Software Removal Tool is available for download here.