Backdoor.Win32.Kelihos (Trojan.Win32.Generic!BT)

by Atlantis on February 4th, 2013 in Malware Descriptions, Security Alert.

Platform: Win32
Type: Trojan
Size: 878592  bytes
Language: С++
MD5: 1f19849a7befa7bf2e3ca04e2757829d
SHA1: 478260ca3fdbcb792a5756956838d2260121de25
Aliases: Backdoor:Win32/Kelihos.F(Microsoft), TrojanPSW.FTPAgent 

Summary

Trojan is designed to steal user’s confidential data as well as send targeted spam emails.

Technical Details

Installation

Prior to being automatically launched each time Windows is booted on the victim machine, the Trojan creates a link to its executable file in the system registry Run key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SonyAgent"="<original_path_to_trojan_file>"

Payload

The Trojan adds a registry key:

[HKCU\Software\Sony]
"SonyID"="DCmkXuRtjruvB1iHVBkEJlW2S+BimFp/lF4WuQjFyUZiEEBn51H4u+8OsvFwcsEfxA=="
"SonyID1"=dword:00000050
"SonyID2"=hex:00,00,00,00,00,00,00,00
"SonyID3"= (data_in_hex)

where it stores service data encrypted.

The Trojan then updates a list of root certificates by downloading files:

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

The malware then sets up secured connections to the attacker’s servers from which it receives remote commands and data to control the bot:

77.87.41.213
68.174.155.3
37.221.128.12
111.118.2.116
97.92.154.172

Depending on the operation required, the following web-resources are called:

welcome.htm
home.htm
login.htm
start.htm
login.htm
default.htm
install.htm
file.htm
setup.htm

The incoming and outgoing traffic is encrypted. From the command server, the malware receives a list of servers to be attacked, a list of servers through which spam emails are to be sent, spam content, links to download and launch files on the user’s PC and commands for the bot. A malicious bot can perform the following actions:

  • Perform DoS attacks on the servers indicated above;
  • Act as a Proxy server;
  • Send spam emails;
  • Monitor the network traffic.

To monitor the network traffic, the Trojan uses the "winpcap" library it contains in its body. With the library, the malware intercepts and steals the confidential data from emails, FTP accounts. The malware intercepts traffic with the following strings:

USER
PASS
PUT
ONNECT
Authorization
Basic
AUTH
PLAIN
ftp
http
smtp
pop3
pop3_smtp
@

The malware then searches FTP, SFTP, WebDAV clients for the confidential information and collects it:

32bit FTP
BitKinex
BulletProof FTP Client 2009
BulletProof FTP Client 2010
ClassicFTP
COREFTP
CuteFTP
CuteFTP Pro
CuteFTP Lite
CuteFTP 6 Home
CuteFTP 6 Professional
CuteFTP 7 Home
CuteFTP 7 Professional
CuteFTP 8 Home
CuteFTP 8 Professional
Directory Opus
FAR Manager FTP
FFFTP
FileZilla
FlashFXP 3
FlashFXP 4
Frigate3 FTP
FTPClient
pFTP Commander
FTP Commander Pro
FTP Navigator
FTP Commander Deluxe
FTPCON
FTP Explorer
FTPRush
LEAPFTP
NetDrive
Total Commander FTP
TurboFTP
SoftX FTP Client
SmartFTP
UltraFXP
WebSitePublisher
WS_FTP

In addition, the Trojan steals the Bitcoin wallet:

%Application Data%\Bitcoin\wallet.dat

Being executed, the Trojan tries to update its executable module. The downloaded file is 762888 bytes in size (link).

Sending Spam

The Trojan sends spam emails through servers from the list it receives from the command server:

110.155.188.205
14.4.18.64
27.77.194.173
160.110.97.32
65.132.232.170
90.178.49.216
1.190.188.205
115.8.232.170
27.143.125.74
213.116.113.38
94.144.231.67
141.182.97.32
73.97.11.168
143.182.97.32
202.210.185.140
14.147.126.207
143.162.70.150
145.182.97.32
36.212.185.140
140.16.107.199
6.153.231.67
97.90.12.64
10.147.126.207
87.43.16.130
54.133.232.68
140.112.18.206
194.146.188.205
12.147.126.207
88.43.16.130
49.139.232.68
36.118.196.66
26.133.125.74
134.236.232.204
27.141.125.74
123.53.255.66
78.239.138.167
139.237.94.66
135.236.232.204
10.244.125.74
58.188.163.216
58.188.163.216
94.239.138.167
60.54.139.98
26.64.194.173
230.168.195.67
11.244.125.74

In addition, the Trojan searches for the files with the following file extensions:

avi
mov
wmv
mp3
wave
wav
wma
ogg
vob
png
jpg
jpeg
gif
bmp
exe
dll
ocx
class
msi
zip
7z
rar
jar
gz
hxw
hxh
hxn
hxd

And sends spam messages (see below) to the email addresses:

 

 

 

 

 


Spreading via USB

The Trojan copies itself to the root folder of all the removable drives with the following name:

X:\sony.exe

To launch the malicious file on the removable drive, the Trojan exploits the CVE-2010-2568 vulnerability. The vulnerability is located in the "CtrlExtIconBase::_GetIconLocationW" function of the "shell32.dll" library which allows launching a malicious file on the removable drive.

The Trojan creates a file:

X:\Shortcut to Sony.lnk

In addition, the Trojan receives names of all folders in the root directory on the removable drive and creates "lnk" files with names of those folders. The Trojan adds the "Hidden", "System", "Read only", "Archive" attributes to all folders.

Removal Recommendations

  1. Using Task Manager ("How to End a Process with the Task Manager") terminate the Trojan process.
  2. Delete the original malware file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
  3. Change passwords for the FTP clients listed above.
  4. Change confidential Bitcoin data.
  5. Delete the following parameter of the registry keys ("How to Work with System Registry"):
  6. [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SonyAgent"="<original_path_to_Trojan_file>"

  7. Delete the registry key ("How to Work with System Registry"):
  8. [HKCU\Software\Sony]

  9. Run a full scan of your computer using the Antivirus program with the updated definition database ("Download Ad-Aware Free").