Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

BackDoor.Gootkit.112

Added to the Dr.Web virus database: 2014-03-30

Virus description added:

A multipurpose backdoor that can execute various commands coming from the remote server.

The module responsible for the backdoor's installation and its bootkit features was borrowed from the Trojan.Mayachok family of malicious programs. However, virus makers introduced a number of significant changes to the source code.

  • Original Trojan.Mayachok generated a unique VBR code which was used to create another build of the malware. In the case of BackDoor.Gootkit.112, all functions are compiled in the dropper that alters the Volume Boot Record (VBR) code during the infection process.
  • To compress the modules of Trojan.Mayachok, the aplib library was used. BackDoor.Gootkit.112 is decrypted and extracted using RtlDecompressBuffer (COMPRESSION_FORMAT_LZNT1).
  • The driver, to which VBR transfers control prior to system initialization, was also taken from the source code of Trojan.Mayachok, but the code was partially rewritten; so most of the pointers (various tables and a shellcode for injections) became position independent for unknown reasons. For example, the following routine to retrieve an address:
                                        get_shellcode2  proc near               
    ; CODE XREF: csrss_inject+67p
    .text:10006645 E8 00 00 00 00                       call    $+5
    .text:1000664A 58                                   pop     eax
    .text:1000664B 83 C0 05                             add     eax, 5
    .text:1000664E C3                                   retn
    .text:1000664E                      get_shellcode2  endp
    .text:1000664E
    .text:1000664F                      
    ; ========= S U B R O U T I N E ===========================
    .text:1000664F                      ; Attributes: noreturn bp-based frame
    .text:1000664F
    .text:1000664F                      shellcode2      proc near
    Another example is related to string generation. The routine looks as follows:
    .text:10003B0B                 push    ebp
    .text:10003B0C                 mov     ebp, esp
    .text:10003B0E                 sub     esp, 78h
    .text:10003B11                 call    get_api_table
    .text:10003B16                 mov     [ebp+pAPITable], eax
    .text:10003B19                 cmp     [ebp+pAPITable], 0
    .text:10003B1D                 jz      no_apitable
    .text:10003B23                 mov     dword ptr [ebp+szRegistryPath], 52005Ch 
    ; REGISTRY\MACHINE\CURRENTCONTROLSET\SERVICES\null
    .text:10003B2A                 mov     dword ptr [ebp+szRegistryPath+4], 470045h ; 
    .text:10003B31                 mov     dword ptr [ebp+szRegistryPath+8], 530049h ; 
    .text:10003B38                 mov     dword ptr [ebp+szRegistryPath+0Ch], 520054h ; 
    .text:10003B3F                 mov     dword ptr [ebp+szRegistryPath+10h], 5C0059h ; 
    .text:10003B46                 mov     dword ptr [ebp+szRegistryPath+14h], 41004Dh ; 
    
    However, some pointers remained intact. In particular, one of them refers to the following quotation by Homer Simpson: “Just pick a dead end and chill out till you die”, which is output in the debugger once initial initialization of the loader is complete.

The Gootkit name can be found in both the loader and the payload module code.

screen

In addition, all driver components responsible for its interaction with other modules operating in user mode were also removed—in particular, the driver that allowed those modules to use VFS. However, BackDoor.Gootkit.112 still has features responsible for VFS initialization and protection.

Unlike Trojan.Mayachok whose payload was incorporated into the loader, BackDoor.Gootkit.112 stores information on payload modules in the HKLM\SOFTWARE\CXSW registry branch as binaryImage32 or binaryImage64, depending on the OS platform (32-bit or 64-bit).

screen

To retrieve the payload, BackDoor.Gootkit.112 injects a special shellcode into SERVICES.EXE, EXPLORER.EXE, IEXPLORE.EXE, FIREFOX.EXE, OPERA.EXE, and CHROME.EXE. The main purpose of the injected shellcode is to download the payload module from the system registry or from a remote server on the Internet. Payload binary files are compressed and encrypted.

Bypassing UAC

To bypass UAC (User Accounts Control) and elevate its own privileges, BackDoor.Gootkit.112 uses a shim (Microsoft Windows Application Compatibility Infrastructure). The Trojan employs the SQL Server Client Network Utility (cliconfg.exe) whose manifest file has the AutoElevate attribute set to “true”; thus, Windows elevates privileges for such applications without involving UAC.

BackDoor.Gootkit.112 uses the apphelp.dll library (SdbCreateDatabase, SdbDeclareIndex, SdbWriteStringTag, and so on) to create a database. The Trojan generates the database name and the value of the Application parameter randomly.

...
      if(!SdbWriteStringTag(hDb, TAG_NAME, szAppName))
        break;
      if(!SdbWriteStringTag(hDb, TAG_APP_NAME, SHIM_APP_NAME))
        break;
      if(!SdbWriteStringTag(hDb, TAG_VENDOR, _T("Microsoft")))
        break;
...
      SdbWriteStringTag(hDb, TAG_COMPANY_NAME, _T("Microsoft Corporation"));
      SdbWriteStringTag(hDb, TAG_INTERNAL_NAME, szAppName);
      SdbEndWriteListTag(hDb, listMatch);
      TAGID listShim = SdbBeginWriteListTag(hDb, TAG_SHIM_REF);
      SdbWriteStringTag(hDb, TAG_NAME, _T("RedirectEXE"));
      SdbWriteStringTag(hDb, TAG_COMMAND_LINE, szTargetApp);
      SdbEndWriteListTag(hDb, listShim);
...

The RedirectEXE shim is used to load the Trojan. This shim allows to run a modified version of a specified application or the malicious program itself instead of the original executable file. BackDoor.Gootkit.112 employs RedirectEXE parameters to specify the path to its executable and a link to the created database.

screen

Once the database is created, it gets installed on the system by means of sdbinst.exe whose manifest file has also the AutoElevate parameter set to “true”; so this utility runs with special privileges. Overall, the UAC bypass scheme looks as follows:

  1. The Trojan creates and installs a new database (shim).
  2. Then it launches cliconfg.exe with elevated privileges.
  3. The shim unloads the original process and uses RedirectEXE to launch the Trojan.

Payload

The Trojan's payload is implemented as an executable file of about 5 MB written in C++. Most of this file is a JavaScript interpreter known as Node.JS. The executable file contains more than 70 pieces of JavaScript code; a significant portion of them constitutes the Node.JS core that provides an easily accessible interface to work with native objects. Some scripts incorporate the Trojan's payload; they enable the backdoor to execute commands coming from the remote server and download additional modules stored in the Windows registry (together with the main module of BackDoor.Gootkit.112).

The Trojan can execute the following commands:

  • Intercept HTTP traffic
  • Perform web injections
  • Block specific URLs
  • Take screenshots
  • Acquire the list of running processes
  • Acquire the list of local users and groups
  • End specified processes
  • Execute shell commands
  • Launch executable files
  • Update itself

In addition to that, BackDoor.Gootkit.112 can perform some other commands.

Recommandations pour le traitement

  1. Si le système d'exploitation peut être démarré (en mode normal ou en mode sans échec), téléchargez Dr.Web Security Space et lancez un scan complet de votre ordinateur et de tous les supports amovibles que vous utilisez. En savoir plus sur Dr.Web Security Space.
  2. Si le démarrage du système d'exploitation est impossible, veuillez modifier les paramètres du BIOS de votre ordinateur pour démarrer votre ordinateur via CD/DVD ou clé USB. Téléchargez l'image du disque de secours de restauration du système Dr.Web® LiveDisk ou l'utilitaire pour enregistrer Dr.Web® LiveDisk sur une clé USB, puis préparez la clé USB appropriée. Démarrez l'ordinateur à l'aide de cette clé et lancez le scan complet et le traitement des menaces détectées.

Veuillez lancer le scan complet du système à l'aide de Dr.Web Antivirus pour Mac OS.

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile Dr.Web pour Android. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur la violation grave de la loi ou la demande d'une rançon est affiché sur l'écran de l'appareil mobile), procédez comme suit:
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil mobile Dr.Web pour Android et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android