Backdoor.Win32.Shiz

by alexander.adamov on August 14th, 2012 in Malware Descriptions.

Platform: Win32
Type: Backdoor
Size: 280576 bytes
Packer: unknown
Unpacked size: ~750 Kb
Language: C++
MD5: c4c4f7cee346d4cb1faa4bcac6e5bf5
SHA1: e973239500b4fb216182043805453cea9edf8730
Aliases : Trojan.Win32.Generic!BT

Summary

Backdoor.Shiz is a Trojan spyware designed to provide the intruder remote access to the infected PC and steal confidential  data.


Technical Details

Installation

Once activated, the backdoor copies itself to the current user's Windows temporary folder with a randomly generated name:

%Temp%\<rnd>.tmp

where <rnd> is a random digit.

The backdoor then copies itself to the "AppPatch" folder in the root directory with a randomly generated name:

%WinDir\AppPatch\<rnd>.exe

where <rnd> is a random sequence of the Latin alphabet letters, e.g.: "ondmrw" or "nfiwvpu".

The backdoor is set to load when Windows boots by adding a link to its executable file to the system registry autorun key:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"userinit" = "%System%\userinit.exe,%WinDir\AppPatch\<rnd>.exe"
"system" = "%System%\userinit.exe,%WinDir\AppPatch\<rnd>.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"userinit"="%WinDir%\AppPatch\<rnd>.exe"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "%WinDir%\AppPatch\<rnd>.exe"
"run" = "%WinDir%\AppPatch\<rnd>.exe"

The original backdoor file is then deleted.

If the backdoor has been launched on a 64-bit Windows machine, the auto-load link in the registry is written as follows:

<path_to_the_original_backdoor_file\original_backdoor_name>.exe

If the backdoor has been launched with an account that is a member of the administrators group, a task is scheduled to launch the backdoor with administrator privileges each time Windows is booted.

Payload

The backdoor ends its own execution and deletes its original file if the following processes run on the system:

HookExplorer.exe
proc_analyzer.exe
sckTool.exe
sniff_hit.exe
sysAnalyzer.exe
idag.exe
ollydbg.exe
dumpcap.exe
wireshark.exe
avp.exe

If the backdoor launches without administrator privileges, it tries to access the administrator account by guessing a password:

help
stone
server
pass
idontknow
administrator
admin
666666
111
12345678
1234
soccer
abc123
password1
football1
fuckyou
monkey
iloveyou1
superman1
slipknot1
jordan23
princess1
liverpool1
monkey1
baseball1
123abc
qwerty1
blink182
myspace1
pop
user111
098765
qweryuiopas
qwe
qwer
qwert
qwerty
asdfg
chort
nah
xak
xaep
111111
12345
2013
2007
2207
110
5554
775
354
1982
123
password
123456

The backdoor then searches for the "explorer.exe" process and injects a dynamic library (DLL) of 355840 bytes in size to its address space. The backdoor extracts the dynamic library from its body. The file is detected by Ad-Aware as Trojan.Win32.Generic!BT. MD5: 1dccb989b3b1c124162756f5ade32e8.

Using the malicious library, the Trojan executes the malicious functionality:

  • Checks for a connection to the Internet using the following Internet resources:

www.bing.com
www.microsoft.com

  • Disables sandbox in which scripts are executed when a User uses a Google Chrome web browser.
  • Launches SOCKS-proxy server on the infected system.
  • Installs hooks for following functions:

Dnsapi.dll:
DnsQuery_A
DnsQuery_UTF8
DnsQuery_W
Query_Main

user32.dll:
GetClipboardData
TranslateMessage
GetMessageA
GetMessageW
GetWindowTextA
OpenDesktopA
OpenDesktopW
TrackPopupMenuEx
OpenDesktopW
OpenInputDesktop
SwitchDesktop
GetUpdatedClipboardFormats
CloseClipboard
CountClipboardFormats
EmptyClipboard
GetPriorityClipboardFormat
IsClipboardFormatAvailable
SetClipboardData
FlashWindowEx
FlashWindow
GetCursorPos
SetCursorPos
SetCapture
ReleaseCapture
GetCapture
DefWindowProcW
DefWindowProcA
DefDlgProcW
DefDlgProcA
DefFrameProcW
DefWindowProcA
DefMDIChildProcA
CallWindowProcW
CallWindowProcA
PeekMessageW
PeekMessageA

advapi32.dll:
CryptEncrypt

ntdll.dll:
NtQuerySystemInformation

ws2_32.dll:
send
WSASend
WSARecv
recv
getaddrinfo
gethostbyname
inet_addr

kernel32.dll:
CreateFileW
GetFileAttributesW
 

Crypt32.dll:
CertVerifyCertificateChainPolicy

Wininet.dll:
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
InternetQueryDataAvailable
InternetReadFile
InternetReadFileExA
InternetReadFileExW
InternetCloseHandle
 

nspr4.dll:
PR_Write
PR_Read
PR_Close
PR_OpenTCPSocket
 

sks2xyz.dll:
vb_pfx_import 

FilialRCon.dll:
RCN_R50Buffer

mespro.dll:
AddPSEPrivateKeyEx
AddSigner

It allows the backdoor to control the network traffic, data being encrypted, files being created, as well as execute the keylogger functionality, get confidential data from various client programs designed for e-commerce and hide its process on the Processes tab of the Windows Task Manager.

  • Blocks the domain names which contain strings of the antivirus companies:

avast.com
kaspersky
93.191.13.100
drweb
eset.com
antivir
avira
virustotal
virusinfo
z-oleg.com
kltest.org.ru
trendsecure
anti-malware
comodo.com
mavast.com

  • The backdoor contains a module which provides the intruder a remote access via the VNC protocol.
  • Connects to a command server within a separate stream. The server name is generated according to a special algorithm:

xubifaremin.eu
dixemazufel.eu
lyvejujolec.eu
marytymenok.eu
vojacikigep.eu
gadufiwabim.eu
xuxusujenes.eu
fogeliwokih.eu
jewuqyjywyv.eu
masisokemep.eu
nofyjikoxex.eu
qetoqolusex.eu
jepororyrih.eu
rynazuqihoj.eu
dikoniwudim.eu
kemocujufys.eu
voniqofolyt.eu
dimutobihom.eu
makagucyraj.eu

When the description was created, the connection to the following command centers was set up:

qebahilojam.eu
tufecagemyl.eu

The backdoor receives configuration files from the command centers. The backdoor uses these files to perform destructive actions called by the attacker. The file is saved in the current user's Windows temporary folder with a randomly generated name:

%Temp%\<rnd>.tmp

where <rnd> is a random sequence of hexadecimal numbers.

The backdoor then analyzes a configuration file, encrypts commands and saves them in the registry key parameters:

[HKLM\Software\Microsoft]
"option_<hexadecimal_number>" = "<encrypted data>"

The backdoor can execute the following commands:

!load

Downloading encrypted files from the URL indicated by the intruder. The files are then decrypted and saved with randomly generated names in the current user's Windows temporary folder. The files are launched for execution and then deleted. When the description was created, the backdoor downloaded its latest encrypted versions from the attacker’s server:

For example, files of 311808 bytes in size MD5: 9d1f4902e2eb83feab79175dd89b1912 or files of 321296 bytes in size MD5: 31e855d428195a27077d535e4b0778cd. Updated files are detected by the Ad-Aware as Trojan.Win32.Generic!BT. To counteract the antivirus signatures, files are constantly re-encrypted on the attacker’s servers.

!inject

Injecting data into html code when visiting various Internet resources.

!kill_os

OS shutdown and failure by rewriting the first sectors on a drive.

!cofig

Downloading a new configuration file.

!bc_activate

Establishing a connection to the intruder server using a random TCP port.

!bc_deactivate

Interrupting a connection to the intruder server.

  • Restores its executable file in the stream:

%WinDir\AppPatch\<rnd>.exe

  • Steals сookies and history from the following web browsers:

Microsoft Internet Explorer
Opera

  • Tracks smart cards and tokens connected to the infected PC.
  • Tracks keyboard input events and logs the collected information in the following file:

%Documents and Settings%\%Current User%\%ApplicationData%\<rnd>

where <rnd> is a random sequence of hexadecimal numbers.

  • Steals user bank credentials of the internet banking and remote banking service:

BS-Client
Faktura
IBANK
ALPHA
BSS
INTER
INIST
KBP
RAIFF
RFK
SBER
VEFK
VTB24
Agava Client

The Trojan intercepts key input events, takes screenshots, extracts data of the http-requests, and steals key information set which contains the following key files:

pname.key
pubkeys.key
header.key
masks.key
masks2.key
name.key
primary.key
primary2.key
self.cer
secrets.key
cert.pem
serverkey.dat
sign.cer

For each e-commerce system, the backdoor creates a folder with a randomly generated name where it stores the collected information:

%Documents and Settings%\%Current User%\%ApplicationData%\<rnd>

where <rnd> is a random sequence of hexadecimal numbers.

For example, the collected information is stored as text files with the following names:

pass.log
links.log

Screenshots are stored in the following directory:

%Documents and Settings%\%Current User%\%ApplicationData%\<rnd>\scrs\< screenshot ordinal number>.jpg

The backdoor sends the stolen data to the intruder server.

Removal Recommendations

  1. Delete parameters of the following registry keys (How to Work with System Registry):
  2. [HKLM\Software\Microsoft]
    "option_<hexadecimal_number>" 

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "system" = "%System%\userinit.exe,%WinDir\AppPatch\<rnd>.exe" 

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "userinit"="%WinDir%\AppPatch\<rnd>.exe" 

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    "load" = "%WinDir%\AppPatch\<rnd>.exe"
    "run" = "%WinDir%\AppPatch\<rnd>.exe"

  3. Change the registry key value (How to Work with System Registry):
  4. [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit"=" C:\Windows\system32\userinit.exe,"

  5. Reboot the PC.
  6. Delete the original backdoor file (its location depends on the way the program originally penetrated a user’s computer).
  7. Delete the file:
  8. %WinDir\AppPatch\<rnd>.exe

  9. Clean the Temporary Internet Files folder, which contains infected files (How to clean Temporary Internet Files folder).
  10. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).
  11. Change the passwords for all user accounts.