Pour les utilisateurs

Fermer

Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Recherche
Recherche

Contacter-nous !
Support 24/24 | Rules regarding submitting

Envoyer un message

Requête à l'aide du formulaire

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -
Créer une nouvelle requête

Nous téléphoner

0 825 300 230

Profil

FR

RU CN DE EN ES FR IT JP KZ UZ PL BY ID
Fermer
Services support
Scanners
Dr.Web vxCube
Démo
Bibliothèque virale
Base documentaire

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Actualités

Trojan.Belonard.10

Added to the Dr.Web virus database: 2019-02-05

Virus description added:

Packer: WinLicense

Dates of compilation and SHA1 hashes:

  • a0ea9b06f4cb548b7b2ea88713bd4316c5e89f32 (Mssv36.asi) - 13.09.2017 22:16:52

Description

Trojan.Belonard.10 is part of the Belonard trojan. It’s distributed with pirated Counter-Strike 1.6 builds. Trojan.Belonard.10 acts as a protector of the game. It also installs Trojan.Belonard.5 in the system.

Operating routine

The trojan checks if the WinDHCP service is running. If not, it unpacks and runs Mssv24.asi (Trojan.Belonard.5), and then changes the created/modified/accessed dates of the file to those of Mss32.dll, msmp3.asi, hw.dll or hl.exe. It then creates a thread in which it sends information to the C&C server, and initializes an array of structures by gathering information about the downloaded modules hl.exe, GameUI.dll, hw.dll, sw.dll, and client.dll.

That information is formed into structures:


struct st_mod
{
  _DWORD ImageBase;
  _DWORD SizeOfImage;
  _DWORD pOverlay;
  _DWORD pCode;
  _DWORD SizeOfCode;
  _DWORD pData;
  _DWORD pPEHeader;
};

The trojan scans client.dll’s memory using the mask:

Trojan.Belonard.10 #drweb

The mask corresponds to the code of the CHudSpectator::VidInit function:

Trojan.Belonard.10 #drweb

pfnSPR_Load is the first pointer to the function in the cl_enginefunc_t structure, which contains pointers to various functions of the game client.

Upon receiving the cl_enginefunc_t structure’s address, the trojan calls the GetFirstCmdFunctionHandle() function (the address of this function is stored in the cl_enginefunc_t structure). The called function returns the structures’ list address cmd_function_t, which contains information about the client’s console commands. With the help of cmd_function_t, the trojan seeks the address of the “version” function. When it’s found, the trojan checks if the client is official.

Trojan.Belonard.10 #drweb

After that, the trojan modifies the memory of the steamclient.dll module by writing its master server address, suysfvtm[.]valve-ms[.]ru:27012 (port 27013, if it’s an official client). The trojan also hooks one of the module’s functions.

Trojan.Belonard.10 #drweb

The trojan scans the “sw.dll” module’s memory in order to find the CBaseUI::Shutdown() method, and inserts a call for its own method inside, which will end the trojan’s process if the global variable is set.

Trojan.Belonard.10 #drweb

It then seeks a place in sw.dll’s memory where the “ScreenFade” line address is pushed to the stack and takes the address by offset 0x10 or 0x13 from that push.

Trojan.Belonard.10 #drweb

The resulting address is a pointer to the structure cldll_func_t. By using that pointer, the trojan hooks the HUD_Frame function; and in a function called in its stead initializes the main part of its own hooks and memory modifiers.

In the GameUI.dll, the trojan hooks the call of the strstr function from the CL_ParseConsistencyInfo function in order to exclude the following CRC files and paths from a check:

../Steam.dll
../steamclient.dll
../rev.ini
../Mssv36.asi
../platform/resource/cs.tga
../voice_speex.dll
../Start Counter-Strike Game.bat
../Start Counter-Strike Server.bat
../Start Half-Life Game.bat
../Start Half-Life Server.bat

Afterwards, the trojan hooks the CL_ConnectionlessPacket function and the handlers of the playdemo and viewdemo commands. Inside those functions and handlers, the trojan monitors the executed commands and sends information to the C&C server about those not on the trojan’s list.

The trojan also hooks the Netchan_CopyFileFragments and CL_BatchResourceRequest functions. This allows the trojan to send the names of files sent to the client by another servers to the C&C server . Additionally, the trojan detects and filters potentially dangerous files following the criteria:

  • If a path contains the “..” or '\', ':', '*', '?', '"', '<', '>', '|’ symbols;
  • If a path doesn’t begin with “idema/” or “idema\”;
  • If a file has one of the following extensions: “asi”, “bat”, “cfg”, “cmd”, “com”, “dll”, “exe”, “flt”, “ini”, “js”, “log”, “lst”, “m3d”, “mix”, “ocx”, “rc”, “scr”, “vbs”.

Other functions hooked by the trojan:

  • CL_Parse_StuffText notifies the C&C server about commands executed;
  • CL_Parse_Director notifies the C&C server about the executed commands of DRC_CMD_BANNER and DRC_CMD_STUFFTEXT types;
  • CL_Parse_VoiceInit notifies the C&C server about the voice_speex and voice_miles commands;
  • CL_Send_CvarValue2 notifies the C&C server about attempts to change the Cvar located on the trojan’s list;
  • CL_Send_CvarValue2 notifies the C&C server about attempts to change the Cvar located on the trojan’s list;

The trojan hooks the MOTD event handler and sends the text that was supposed to be displayed using that function to the C&C server. Then it hooks the call of NET_StringToAdr, whose address it finds from the CL_CheckForResend function’s call. If either IP address or the server’s port to which the connection is made doesn’t match those that are known to the trojan, the C&C server receives a notification. After that, the trojan makes several modifications to the memory of modules: client.dll, sw.dll, ServerBrowser.dll, GameUI.dll.

CallHome

The trojan initializes an AES-CFB context with a block size of 128 bit. The key is created by calling EVP_BytesToKey(cipher, md, 0, &aeskey, 32, 5, key, iv). Wherein, the aeskey is embedded in the trojan:

Trojan.Belonard.10 #drweb

The trojan then decrypts the names of the master servers: suysfvtm[.]valve-ms[.]ru:28447 and etmpyuuo[.]csgoogle[.]ru:28447.

Here’s the decryption algorithm:


def decrypt(data):
    s = 'e'
    for i in range(0,len(data)-1):
            s += chr((ord(s[i]) + ord(data[i]))&0xff)
    print s

All the packets sent to and received from the server are encrypted using AES. At the same time, zero byte is added to the beginning of the sent data, and the “padding” in the sent packets is a randomly formed array of bytes.

The server sends packets with a size of 0x10 bytes or less:

  • The first byte is an ID of a command;
  • The next N byte is the payload (may be absent);
  • The remaining bytes (up to 12) are compared against the data with the same offset in the modified sent data, acting as a signature.

Heartbeat (client - 0x8b, server - 0xD9)

The heartbeat packet has a size of 0x10 bytes:


#pragma pack(push,1)
struct st_buf
{
  _BYTE byte_8b;
  _BYTE client_ver;
  _DWORD counter;
  _BYTE byte_05;
  _BYTE padding[9];
};
#pragma pack(pop)

Where client_ver takes values within the range of 0 to 3 depending on:

  • whether the client is official or pirated, or
  • whether it is a Russian or English version of the client.

After encrypting the data, the 6th byte changes to 0x29 in the original buffer.

If the master server’s address has been changed in the memory, the global flag is set, activating the sending of game servers’ suspicious actions to the trojan developer’s server.

The DWORD acts as a payload, containing information about the delay between heartbeat packets. If the packet’s size is greater than 0x10 bytes, 0x20 bytes by an offset of 0x10 bytes is the SHA256 hash of data starting by an offset of 0x30 bytes. The data is shown in the game client console as a message.

CheckServer (client - 0x6F, server - 0xE1)

The packet is sent using the code that hooks the NET_StringToAdr function. The file structure is as follows:


#pragma pack(push, 1)
struct st_checksrv
{
  _WORD word_56f;
  _BYTE client_ver;
  _BYTE byte_ab;
  _BYTE srvaddr[6];
  _BYTE padding[6];
};
#pragma pack(pop)

After the packet is encrypted, the first 4 bytes of the original data are replaced with 0x894DC6E1. If the packet successfully passed the checks, the game client’s “disconnect” function is called.

GameMenuAction (client - 0x80, server - 0x12)

The file structure is as follows:


#pragma pack(push, 1)
struct st_gamemenu_action
{
  _BYTE byte_80;
  _BYTE client_ver;
  _WORD word_6005;
  _BYTE padding[12];
};
#pragma pack(pop)

After the packet is encrypted, its original structure is changed to:

  • byte_80 is replaced with 0x12;
  • word_6005 is replaced with 0xDAB1;
  • If the client is pirated, client_ver is replaced with 0x87; and if the client is official, it is replaced with 0x11.

In the resulting packet, the payload is the 6 byte, which set the IP:port. The trojan rearranges it into a line and executes the game client command connect IP:port.

GameSecurityViolation (client - 0x05)

It is sent from the code that hooks the functions of the game client. The packet’s structure:


#pragma pack(push, 1)
struct st_report
{
  _BYTE byte_05;
  _BYTE client_ver;
  _BYTE padding[0x0e];
  _BYTE hash[0x20];
  _DWORD ip;
  _WORD port;
  char msg[];
};
#pragma pack(pop)

Unlike other packets, 0x02 is added to the beginning of this encrypted packet.

Recommandations pour le traitement

  1. Si le système d'exploitation peut être démarré (en mode normal ou en mode sans échec), téléchargez Dr.Web Security Space et lancez un scan complet de votre ordinateur et de tous les supports amovibles que vous utilisez. En savoir plus sur Dr.Web Security Space.
  2. Si le démarrage du système d'exploitation est impossible, veuillez modifier les paramètres du BIOS de votre ordinateur pour démarrer votre ordinateur via CD/DVD ou clé USB. Téléchargez l'image du disque de secours de restauration du système Dr.Web® LiveDisk ou l'utilitaire pour enregistrer Dr.Web® LiveDisk sur une clé USB, puis préparez la clé USB appropriée. Démarrez l'ordinateur à l'aide de cette clé et lancez le scan complet et le traitement des menaces détectées.
Version démo gratuite

 

Télécharger Dr.Web

Par le numéro de série

Veuillez lancer le scan complet du système à l'aide de Dr.Web Antivirus pour Mac OS.

Version démo gratuite

 

Télécharger Dr.Web sur le site

Par le numéro de série

Télécharger Dr.Web sur l'Apple Store

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

Version démo gratuite

 

Télécharger Dr.Web

Par le numéro de série

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile Dr.Web pour Android. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur la violation grave de la loi ou la demande d'une rançon est affiché sur l'écran de l'appareil mobile), procédez comme suit:
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil mobile Dr.Web pour Android et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android

Free trial

14 days

Download now
Get it on Google Play