Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

BackDoor.Whitebird.1

Added to the Dr.Web virus database: 2019-08-19

Virus description added:

Packer: absent

Compilation date: 28.05.2018 23:14:08

SHA1 hash:

  • e70a5ce00b3920d83810496eab6b0d028c5f746e

Description

A multifunctional backdoor trojan for Microsoft Windows 64-bit operating systems. Its function is to establish an encrypted connection with the C&C server and grant unauthorized access to the infected computer. It has a file manager, proxy server and remote shell capabilities. It was used in targeted attacks on state institutions in Kazakhstan and Kyrgyzstan. Similar to BackDoor.PlugX, this modification was used to infiltrate the network infrastructure.

Operating principle

The trojan represents a dynamic library with the MyInstall exported function. Upon infecting the targeted system, it is installed in the C:\Windows\System32\oci.dll directory.

The program launches as follows. Upon operating system boot, a Microsoft Distributed Transaction Coordinator (MSDTC) is launched. The Windows registry contains the parameters of this service, which hold the names of the loading libraries. By default, the OracleOciLib and OracleOciLibPath keys in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\MTxOCI branch have the values of oci.dll and %systemroot%\system32 accordingly. . When the trojan is placed in %systemroot%\system32\oci.dll, it will be automatically loaded onto the memory when the MSDTC starts.

When initialized, it creates a gfhfgh6y76734d,1111 mutex, followed by the library loading and the MyInstall exported function call.

MyInstall

The trojan can determine if the proxy server should be used and can perform a basic authentication and authorization via the NTLM protocol. When running, it logs records in the journal, saving it as c:\programdata\logos.txt.

It connects to the C&C server and exchanges the keys with it. All subsequent packets between the trojan and the server are encrypted. The algorithm based on the XOR operation with the buffer length of 28 bytes is used for decryption. All packets are encrypted with an end-to-end offset in the buffer; but for the encryption and decryption, separate counters are used.

The following structure is used to request commands from the server and send the results:

#pragma pack(push, 1)
struct st_getcmd
{
  _DWORD sig;
  _DWORD cmd;
  _DWORD res;
  _DWORD dwordc;
};
#pragma pack(pop)

The sig parameter always has a 0x03 value. To request the command from the server, the cmd parameter is set as 0x200, and the res and dwordc parameters are set to zero. If the server does not send any data within 44 seconds, the trojan sends a packet containing the cmd parameter with the 0x00 value. This process repeats until any response is received from the server.

Commands list

The commands the trojan can execute, as well as its response to them, are shown below:

  • 0x00 — lack of the reply, awaiting the next command;
  • 0x01 (collecting information about the bot) — replies with the cmd_botinfo structure:
    #pragma pack(push, 1)
    struct cmd_botinfo_int
    {
      _DWORD sig; // 0x03
      _DWORD OSMajorVersion;
      _DWORD OSMinorVersion;
      _DWORD OSPlatformId;
      _DWORD userpriv;
      _DWORD botip;
      _QWORD MemTotalPhys;
      _BYTE macaddr[6];
      wchar_t szCSDVersion[128];
      wchar_t hostname[64];
      wchar_t username[64];
      char connect_string[256];
    };
     
    struct cmd_botinfo
    {
      _BYTE sig; // 0x03
      _WORD len; // 0x3AC
      _WORD cmdid;
      _BYTE gap[10];
      cmd_botinfo_int info;
    };
    #pragma pack(pop)
    
  • 0x02 (remote shell launch) — replies with the packet, similar to the one received from the server;
  • 0x03 (advanced file system manager launch) — replies with the packet, similar to the one received from the server;
  • 0х05 (remote shell v2 launch) — replies with the packet, similar to the one received from the server;
  • 0x06 (proxy manager launch) — replies with the packet, similar to the one received from the server;
  • 0x100 (the ping command) — replies with cmd=0x00;
  • 0x400 (the command to reconnect to the server) — replies with cmd=0x300;
  • 0x600 (dummy command) — replies with cmd=0x600; res=0xffffffff;
  • 0x700 (launch of the command through ShellExecute) — replies with cmd=0x700; if failed, replies with res=0xffffffff.

Exchanging keys

The process of exchanging keys with the C&C server is as follows:

Using random values, the trojan initializes the buffer with the size of 28 bytes. Next, it takes the data array of the 58 bytes size, which is embedded into its body.

BackDoor.Logtu.1 #drweb

It encrypts bytes from 15 to 43, based on the XOR operation algorithm, using randomly generated bytes, and sends the resulting buffer to the server. In response, it should receive 5 bytes, where 0x16 is a 0 byte and the htons function results from WORD, starting with the third byte, which is the size of the next packet, and shouldn’t exceed 0x3FF9 bytes.

After that, it receives the next packet, whose data is used in the next exchange.

Next, the trojan uses the second encoded buffer with the size of 332 bytes.

BackDoor.Logtu.1 #drweb

The trojan encrypts the bytes, starting from 9 to 265 and from 304 to 332, with the algorithm based on the XOR operation, using randomly generated bytes. 28 bytes, starting from 276 bytes, is replaced with the data generated upon the first buffer initialization. There must be a response of 5 bytes, where the 0 byte is 0x14, and the htons function results from WORD, starting with the 3rd byte, which is the size of next packet, and should not exceed 0x3FF9 bytes.

After that, it receives the next packet, whose data is not used in further exchange.

Next, the trojan receives 5 bytes from the C&C server, where 0x16 is the 0 byte, and the htons function results from WORD, starting with the 3rd byte, which is the size of the next packet, and should not exceed 0x38 bytes.

It receives the next packet from the C&C server and sends 0х38 bytes into the encryption key initialization function:

__int64 __fastcall CCrypt::GenKeys(ccrypt *this, _BYTE *ext_key)
{
  __int64 result; // rax
  int i; // [rsp+0h] [rbp-18h]
  for ( i = 0; i < 28; ++i )
  {
    this->key[i] ^= ext_key[i];
    this->key[i] ^= ~(_BYTE)i;
    if ( !this->key[i] )
      this->key[i] = ~(_BYTE)i;
    result = (unsigned int)(i + 1);
  }
  return result;
}

Remote Shell Function

The trojan copies %WINDIR%\System32\cmd.exe into %WINDIR%\alg.exe. It then initializes a new connection to the C&C server and sends the following packet:

#pragma pack(push,1)
struct cmd_remoteshell
{
  _WORD sig; // 0x03
  _WORD len;
  _WORD cmd; // 0x02
  _BYTE gap[10];
  _BYTE macaddr[6];
};
#pragma pack(pop)

Next, it launches a scanned alg.exe with the pipes input/output redirection. If the launch fails, it runs a cmd.exe instead of the alg.exe. If there is data in the output function pipe, the trojan sends the data to the server in the following packet:

#pragma pack(push,1)
struct cmd_remoteshell_out
{
  _WORD sig; // 0x03
  _WORD len;
  _WORD cmd; // 0x202
  _BYTE gap[10];
  wchar_t buffer[];
};
#pragma pack(pop)

Herewith, the trojan periodically checks for data from the C&C server and parses the incoming command when the data has been received.

List of Remote Shell Commands

Command Description Argument Response
0x100 keep-alive mode - cmd = 0x00
0x102 executes the command in the Remote Shell a command -
0x103 launches the file manager (writing into the end of existing file) a path to the file, the final size of the file cmd value is identical to the value in the packet received from the server;
res = -1 if failed;
res = 0 if succeed.
0x203 launches the file manager (reading from the file) a path to the executable file, an offset in the file
0x703 launches an application a path to the executable file and arguments res = -1 if failed; res = 0 if succeed.
the remaining variants default behavior - cmd value is identical to the value of the packet received from the server;
res = 1.

Remote Shell v2

The trojan copies %WINDIR%\System32\cmd.exe into the %WINDIR%\alg.exe. It then initializes a new connection to the C&C server and sends the following packet:

#pragma pack(push,1)
struct cmd_remoteshell
{
  _WORD sig; // 0x03
  _WORD len;
  _WORD cmd; // 0x02
  _BYTE gap[10];
  _BYTE macaddr[6];
};
#pragma pack(pop)

Next, it launches a copied alg.exe; if launch has failed, it runs a cmd.exe instead of the alg.exe. Input/output to the launched process is implemented via the trojan process joining to the console of the launched alg.exe/cmd.exe process, using the WINAPI AttachConsole.

The rest of the operation routine is similar to the one in the Reverse Shell handler.

File manager

The trojan initializes a new connection to the C&C server and sends the following packet:

#pragma pack(push,1)
struct cmd_fileop
{
  _WORD sig; // 0x03
  _WORD len;
  _WORD cmd;
  _WORD gap;
  _DWORD res;
  _DWORD filesize;
  _BYTE macaddr[6];
};
#pragma pack(pop)

The cmd value is set to the same value in the server packet. Next, the trojan receives commands from the server.

  • 0x103:

    Checks for the file availability. If it does not exist, it sends the packet with the res = 0xB7 value; Tries to open the file in append mode. If failed, it sends the packet with the res = 0x52 value;

    Receives the file size and sets filesize filed to the corresponding value in the subsequent packets;

    Receives packets in a cycle with the cmd = 0x303 packet value and writes the data into the file until the file size is larger or equal to the one the server indicated in the first packet.

  • 0x203:

    Tries to open the file in reading mode. If failed, it sends the packet with the res = 0x02 value;

    Receives the file size and sends it to the server in the packet;

    In a cycle, it reads the file, starting from the offset, which is indicated in filesize the first packet received from the server, and sends the data in the packet with the cmd = 0x303 value to the server until the file hasn’t been read to its end.

  • 0x403:

    If the C&C server sends the path as an argument, the trojan lists the files and folders available in this path (not recursively) and sends the collected information with the cmd = 0x403 value to the server;

    If the C&C server does not specify the argument or if the first symbol of the argument is '/' or '\\', the trojan lists every storage device and collects the data, including the disk type, its size and free space available, and then sends this data to the server in the packet with the cmd = 0x403 value.

  • 0x503:

    Moves a file (the initial and final paths are specified by the C&C server). In response, it sends the packet with the cmd = 0x503 and res = 0 values if succeeded; otherwise, it sends the packet with the res = -1 value.

  • 0x603:

    Deletes the file located in the path, specified by the server. In response, it sends the packet with the cmd = 0x603 and res = 0 values if succeeded; otherwise, it sends the packet with the res = -1 value.

  • 0x703:

    Launches an application specified by the server by using specific arguments. In response, it sends the packet with the cmd = 0x703 and res = 0 values if succeeded; otherwise, it sends the packet with the res = -1 value.

Proxy manager

The trojan initiates a new connection to the server and sends the following packet to it:

#pragma pack(push,1)
struct cmd_proxy
{
  _WORD sig; // 0x03
  _WORD len;
  _WORD cmd; // 0x06
  _BYTE gap[10];
  _BYTE macaddr[6];
};
#pragma pack(pop)

Next, it receives the commands from the server.

  • 0x106:

    Opens one of the available ports;

    Sends a packet with the cmd = 0x506 value to the server;

    Connects to the targeted server using the IP and port, specified by the C&C server;

    Waits for the incoming connection to its port. Upon receiving the data, it sends it to the server it is connected to;

    If the trojan receives the data from the targeted server, it sends it to the C&C server in the packet with the cmd = 0x116 value;

    Returns to waiting for the incoming connection to its port. Upon receiving the data, it sends it to the server it is connected to.

  • 0x116:

    If there is an incoming connection to a previously opened port, the trojan sends the raw data to the client without using the encryption standard to the trojan.

  • 0x126:

    Stops the proxy and closes all opened connections.

  • 0x206:

    Sends the packet with the cmd = 0x506 value to the C&C server;

    Opens a port specified by the server;

    Waits for the incoming connection to the specified port;

    Connects to the targeted server specified by the C&C server;

    Forwards the traffic from the local port to the remote server and backwards as raw data, not using the encryption, standard to the trojan.

  • 0x306:

    Receives two ports as an argument;

    Sends the packet with the cmd = 0x506 value to the C&C server;

    Opens first port (master port) and waits for the connection;

    Opens the second port (client port) and waits for the connection;

    Opens a random port and sends its number to the target, which is currently connected to the master port. Next, it waits for the incoming connection on the specified port;

    Forwards the traffic between the clients, which connected to the master port and random port.

  • 0x406:

    Receives two pairs of IP:port as an argument;

    Connects to the first server and receives 2 bytes from it, which are the port number;

    Connects to the same server through the received port;

    Connects to the second server, specified in the incoming arguments;

    Forward the traffic between previously established connections.

  • 0x606:

    Stops proxy server operation.

Recommandations pour le traitement

  1. Si le système d'exploitation peut être démarré (en mode normal ou en mode sans échec), téléchargez Dr.Web Security Space et lancez un scan complet de votre ordinateur et de tous les supports amovibles que vous utilisez. En savoir plus sur Dr.Web Security Space.
  2. Si le démarrage du système d'exploitation est impossible, veuillez modifier les paramètres du BIOS de votre ordinateur pour démarrer votre ordinateur via CD/DVD ou clé USB. Téléchargez l'image du disque de secours de restauration du système Dr.Web® LiveDisk ou l'utilitaire pour enregistrer Dr.Web® LiveDisk sur une clé USB, puis préparez la clé USB appropriée. Démarrez l'ordinateur à l'aide de cette clé et lancez le scan complet et le traitement des menaces détectées.

Veuillez lancer le scan complet du système à l'aide de Dr.Web Antivirus pour Mac OS.

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile Dr.Web pour Android. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur la violation grave de la loi ou la demande d'une rançon est affiché sur l'écran de l'appareil mobile), procédez comme suit:
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil mobile Dr.Web pour Android et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android