Jan 27, 2014 - Software update to a video player application GoMPlayer hosted at a public ... The propagation vector is
McAfee Labs Threat Advisory BackDoor-FBPZ January 27, 2014
McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of prevalent malware. This Threat Advisory contains behavioral information, characteristics and symptoms that may be used to mitigate or discover this threat, and suggestions for mitigation in addition to the coverage provided by the DATs. To receive a notification when a Threat Advisory is published by McAfee Labs, select to receive “Malware and Threat Reports” at the following URL: https://sns.snssecure.mcafee.com/content/signup_login Summary BackDoor-FBPZ is the generic detection provided for the malicious Backdoor that comes bundled along with few variants of GoMPlayer application (a video player) while performing a regular software update . The payload is programmed to work in both 32-bit and 64-bit environment using platform specific binaries. The malware component silently injects into explorer.exe, opens a port and connects to a remote site to receive commands from the remote attacker. Detailed information about the threat, its propagation, characteristics and mitigation are in the following sections: • • • • • •
Infection and Propagation Vectors Mitigation Characteristics and Symptoms Restart Mechanism Remediation McAfee Foundstone Services
McAfee Labs Threat Intelligence descriptions for this malware are available in the following location: The minimum DAT versions required for detection are: Detection Name MD5 of samples DAT Version BackDoor-FBPZ! 008FBD0FDE06EDB31FC7EECDAE1A3030 7328 BackDoor-FBPZ! 0AE82FD94836815A1E8D284CCB75109D 7328 BackDoor-FBPZ! 09F822EBDA94CF07BA7D3F95674412EF 7328 BackDoor-FBPZ! A9225E059D9DACE1B259BCEEC7F48DAE 7328 BackDoor-FBPZ! 916B1A07EFB145C450B4C13540BE6C3E 7328 BackDoor-FBPZ! 1D2C77F0F8A715DE09CE6FAE5FC800D4 7328
Date 24-01-2014 24-01-2014 24-01-2014 24-01-2014 24-01-2014 24-01-2014
Infection and Propagation Vectors Software update to a video player application GoMPlayer hosted at a public site downloads the updates bundled with malicious binaries. It arrives in a zipped format and dropped in the victims’ machine upon execution.
The propagation vector is observed to be public websites hosting patched version of GoM player. Mitigation Mitigating the threat at multiple levels like file, registry & URL could be achieved at various layers of McAfee products. Browse the product guidelines available here to mitigate the threats based on the behavior described below in the Characteristics and symptoms section. EPO • To block the access to USB drives through EPO DLP policy refer this tutorial. VSE • Refer the article KB53346 to use Access Protection policies in VirusScan Enterprise to protect against viruses that can disable regedit. • Refer the article KB53355 to use Access Protection policies in VirusScan Enterprise to protect against viruses that can disable Task Manager. • Refer the article KB53356 to use Access Protection policies in VirusScan Enterprise to prevent malware from changing folder options. HIPS • To blacklist applications using a Host Intrusion Prevention custom signature refer KB71329. • To create an application blocking rules policies to prevent the binary from running refer KB71794. • To create an application blocking rules policies that prevents a specific executable from hooking any other executable refer KB71794. • To block attacks from a specific IP address through McAfee Nitrosecurity IPS refer KB74650. Others • To disable the Autorun feature on Windows remotely using Windows Group Policies refer this article from Microsoft. Characteristics and Symptoms Updating or installing the GoMPlayer application (video player software) which has malicious components bundled with it drops the malicious files. When user installs the bundled application, install.exe gets executed covertly. It further decrypts other files to open a port in background to connect to a remote site without user's knowledge:
Install.exe first XORs the encrypted bytes with key 0x14 to get the DLL files to load in its memory for further use as shown in the below figure:
It further resolves more file which it uses later:
These files are: • Install.ocx • Dll.tmp • Dll64.tmp • Instructions.pdf • Instructions64.pdf The parent file checks for the OS under which it’s running. If a 32-bit version of windows is found, the following files are added to the Temp directory: a) DLL.TMP (MD5: d5548e1913950a42a04debcac4222bd2) b) INSTRUCTIONS.PDF (MD5: 569071c45f47b7fb7a75f30bc07d5739) If the victim is running a 64-bit version of windows, the 64-bit versions of the files mentioned above are copied to the temp directory. a) DLL64.TMP (MD5: 01f7b465242237bd3d31d39767aa68e0) b) INSTRUCTIONS64.PDF (MD5: 55474f8e26f2b6fc3b5d78ce9a77b0b0) All the dropped files are PE files, but are XORed with key 0x14 when dropped into temp directory. Install.exe then reads file dll.tmp (which is a binary encrypted with key 0x14) and gets its size:
We can see the encrypted file in the below dump:
This encrypted file is then decrypted with key 0x14 in memory:
Once dropped, install.exe decrypts DLL/DLL64.TMP, adds a large amount (more than 20 MB) of empty data to the end of file and writes them to windows\temp folder as install.ocx:
It copies the install.ocx file into a temp folder under windows directory: Once install.ocx has been copied, it executes it and restarts explorer.exe using the following command: cmd.exe /C taskkill /f /im explorer.exe &ping -n 3 127.1>nul& start %windir%\explorer.exe
Install.ocx decrypts INSTRUCTIONS/INSTRUCTIONS64.PDF in memory, writes it into the address space of explorer.exe, performs relocations and fixes the import table. Once this is complete, it creates a thread in explorer.exe at the entry-point of the decrypted file:
The decrypted versions of INSTRUCTIONS/INSTRUCTIONS64.PDF decrypt their own overlay to uncover the command and control server to contact. It does this by finding the string “AAAAAAAA” and “PPPPPPPP” in the overlay and decodes the rest of the strings using Base64 followed by an ADD/XOR with the keys 0x7a and 0x19 respectively:
This uncovers the server name testqweasd.tk and the port 443 which resolves to 211.43.220.89:
The file then serves as a backdoor by opening a port to the server and listens indefinitely for commands:
"JXNcc2hlbGxcb3Blblxjb21tYW5k" - gives %s\shell\open\command. This is used to register various video extensions with GOMPlayer to give the impression that the sample is a part of the GOMPlayer bundle and not a separate malicious payload:
"SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==" - gives HARDWARE\DESCRIPTION\System\CentralProcessor\0 Information about the processor clock speed is also sent to the server by reading the registry key “HARDWARE\DESCRIPTION\System\CentralProcessor\0 :: ~MHz”. The file also checks for the presence of the following files in the temp directory inside the windows directory: • • • • • • • • • •
neercss.ocx elifs.ocx llehss.ocx draobyeks.ocx ssecorps.ocx tidegers.ocx secivress.ocx oedivs.ocx oiduas.ocx pamtrop.ocx
All the filenames listed above are encrypted using the same Base64/ADD/XOR technique used to store the C&C domain name. Since these files are not present in the installer, it is possible that these files are received from the C&C server. Restart Mechanism No restart mechanism was observed during the malware infection. Remediation The detection for this variant of malware family is added to the database and would be available from DAT #7328. A Full Scan with updated DATS can remove the infection from the machine. Getting Help from the McAfee Foundstone Services team This document is intended to provide a summary of current intelligence and best practices to ensure
the highest level of protection from your McAfee security solution. The McAfee Foundstone Services team offers a full range of strategic and technical consulting services that can further help to ensure you identify security risk and build effective solutions to remediate security vulnerabilities. You can reach them here: https://secure.mcafee.com/apps/services/services-contact.aspx © 2011 McAfee, Inc. All rights reserved.
