Threat Advisory: Backdoor-FJW - McAfee

McAfee Labs Threat Advisory

BackDoor-FJW May 10, 2013

Summary “BackDoor-FJW” is detection for Trojan that receives commands from an attacker to access the infected machine and to download other payloads. They have inbuilt module to steal stored passwords, cache and cookies from the different applications. They are also written to steal stored server names, port numbers, login IDs and passwords from the below mentioned FTP clients application. Backdoor-FJW is known to download several families, including Zbot, Ransomware, W32/Autorun.worm.aaeh and ZeroAccess. Detailed information about the Trojan, its propagation, and mitigation are in the following sections: • • • •

Infection and Propagation Vectors Characteristics and Symptoms Restart Mechanism Getting Help from the McAfee Foundstone Services team

Infection and Propagation Vectors Backdoor-FJW is usually used as the initial infection vector for other malware campaigns. The most common method of entry is via spam e-mail sent with the file attached as a ZIP file, or containing a link to download the file. Some of the spam e-mails we seen carrying BackDoor-FJW come with the following file names: • • • • • • •

form_04042013.zip trusteer rapport install_3025022628980967712934052197769.zip Payment Advice [B42{_hsbs ref}] fax_id{digit[30]}.exe key_secure_message.exe fax00001{digit[4]}.exe Case_Fiserv.exe

Characteristics and Symptoms Description Upon execution the Trojan connects to the following URLs: • • • • • • • • • • • • • • • • • •

hxxp://ht[Removed]/ponyb/gate.php hxxp://bi[Removed]/ponyb/gate.php hxxp://23.my[Removed]/ponyb/gate.php hxxp://24.ce[Removed]/ponyb/gate.php hxxp://ww{removed]B.exe hxxp://ni[Removed]r.exe hxxp://bm[Removed]Y.exe hxxp://ww[Removed4x.exe hxxp://g-w[Removed]RZ.exe 216.172.[Removed].200 80.237.[Removed].232 199.19.[Removed.149 hxxp://116.122.158.195:8080/ponyb/gate.php hxxp://fatbanking.com/ponyb/gate.php hxxp://fractora.com/ponyb/gate.php hxxp://fractoracenter.com/ponyb/gate.php hxxp://www.easybyte-computer.de/pbUqRk.exe hxxp://hypnosolutionscd.com/n5C.exe

• •

hxxp://ftp.tcmls.org/qrAQeV.exe hxxp://ftp.lithotipiki.gr/uhk2U.exe

BackDoor-FJW drops the downloaded malware and executes it. They are seen to drop Zbot samples with random file name in %random folder% under Application Data folder like this one below: •

C:\Documents and Settings\username\Application Data\Wayw\qyixe.exe

It may also download and execute other malware families like ZeroAccess, Ransomware, and W32/Autorun.worm.aaeh BackDoor-FJW also injects malicious threads into different running processes in the victim's machine. It injects its thread in the address space of Explorer.exe, bypasses the Firewall and connects to a remote site. •

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolic y\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe: "C:\WINDOWS\explorer.exe:*:Disabled:Windows Explorer"

•

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolic y\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe: "C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer"

These changes will cause the Windows firewall to allow any connection originating from the process Explorer.exe to go through without warning the current user. Since Backdoor-FJW injects threads into this process, it does that to be able to connect to malicious sites without warning the user. The Trojan steals stored passwords, cache and cookies from the following applications: • • • • • • • • • • • • • • • • • • • • • • • •

Opera Firefox Internet Explorer Google Chrome Windows Live Mail K-Meleon Epic Thunderbird Bromium Nichrome Comodo RockMelt Visicom Media Chromium Global Downloader NetSarang Cyberduck Pocomail BatMail NCH Software ExpanDrive Cryer Fling Martin Prikryl

The Trojan steals stored server names, port numbers, login IDs and passwords from the following FTP clients: • • • • • •

Robo-FTP 3.7 LinasFTP NovaFTP LeechFTP SFTP LeapFTP

• • • • • • • • • • • • • • • • •

FTPVoyager ClassicFTP FTPClient FTP Explorer VanDyke FTPRush FFFTP FTPHost Ghisler BlazeFtp BulletProof FTP FileZilla PuTTY FlashFXP CuteFTP 6,7,8 CuteFTP Lite CuteFTP Pro

Once executed, the Trojan attempts to connect to the Administrator account on the remote machine. The Trojan uses the following passwords to brute force the account:

Fig 1. List of Passwords tried by malwares

Mitigation

Users are requested to exercise caution while opening unsolicited email messages and unknown links. Users are advised to update Windows patches and virus definitions on a regular basis.

Restart Mechanism Description The following registry entry confirms that the Trojan executes every time when windows starts: HKEY_Users\SID\Software\Microsoft\Windows\CurrentVersion\Run\{CLSID}: ""C:\Documents and Settings\ username\Application Data\Random_Folder\Random_fileName.exe""

Getting Help from the McAfee Foundstone Services team This document is intended to provide a summary of current intelligence and best practices to ensure the highest level of protection from your McAfee security solution. The McAfee Foundstone Services team offers a full range of strategic and technical consulting services that can further help to ensure you identify security risk and build effective solutions to remediate security vulnerabilities. You can reach them here: https://secure.mcafee.com/apps/services/services-contact.aspx

2011 McAfee, Inc. All rights reserved.