Technical Details
This Trojan masks its presence in the system from users and from other programs. It is a Windows application (PE EXE file). It is 92 160 bytes in size.
Installation
The following operating systems are required for it to launch:
Windows Vista
Windows XP Professional x64 Edition
Windows Server 2008, Windows Server 2003 with SP1
Once launched, it deletes its original file and writes its loader to the hard drive's MBR. This allows the Trojan to obtain full administrative rights before the operating system boots.
The rootkit uses its own file encryption system outside of the marked area where configuration data and additional user libraries are stored.
The rootkit also hooks DriverStartIO in the driver-miniport for the hard drive controller in order to service requests for its files.
It infects one randomly selected system driver, into which it injects its code. This allows the rootkit to download its body from the disk and then to return control.
In order to hide its presence in the system, it installs hooks in the following system core functions:
IofCallDriver;
IofCompleteRequest;
NtFlushInstructionCache;
NtEnumerateKey;
NtSaveKey;
NtSaveKeyEx.
Payload
When launched the Trojan injects its script into all system processes. It uses these system processes to try to download the configuration file from the controlling server specified in the "wspservers" parameter:
http://zlo***cv1.com/
http://71h***l01.com/
http://axj***0h.com/
http://rf9***16zzl.com/
http://dsg***4aa17.com/
http://l1i1***o8as0.com/
http://7ga***ja90a.com/
http://n1***1s6cx0.com/
The addresses of rootkit's administration consoles are listed in the "servers" parameter:https://19j***300z.com/
https://lj***b0.com/
https://li1***b0.com/
https://zz8***da88.com/
https://n1***53.com/
https://01***x00.cc/
It executes the following controlling server commands:DownloadCrypted means download encrypted file;
DownloadAndExecute means download and execute a file;
DownloadCryptedAndExecute means download encrypted file, decrypt and execute this file;
Download means download file;
ConfigWrite means modify configuration file.
The rootkit's code functions only in the following processes:*explo*
*firefox*
*chrome*
*opera*
*safari*
*netsc*
*avant*
*browser*
*mozill*
*wuauclt*
During its operation, the injected rootkit tracks the following sites visited by the user:Falexametrics.com fimservecdn.com myspacecdn.com .tqn.com searchvideo.com flickr.com .com.com oneriot.com picsearch.com twimg.com adcertising.com openx.org truveo.com tacoda.net doubleverify.com atwola.com meedea.com wazizu.com yieldmanager.com worthathousandwords.com firmserve.com compete.com lygo.com superpages.com edgesuite.net infospace.com ytimg.com 66.235.120.67 66.235.120.66 scorecardresearch.com iwon.com doubleclick.net 2mdn.net yimg.com powerset.net ivwbox. atdmt.com virtualearth.net gstatic.com abmr.net adbureau.net tribalfusion.com adrevolver.com everesttech.net othersonline.com aolcdn.com twitter.com wikimedia.org wikipedia.org youtube.com facebook.com amazon.com adobe.com macromedia.com blinkx.com alexa.com conduit.com answers.com myspace.com about.com mamma.com .search.com .lycos. alltheweb.com webcrawler.com metacrawler.com dogpile.com excite.com exalead.com ask.com altavista.com msn.com live.com yahoo google
This information is sent to the controlling server together with system configuration parameters. In response the server sends the page that has to be displayed to the user.
The rootkit modifies queries to major search engines to implement "Black Search Engine Optimization" (Black SEO). On the part of the drive encrypted by the rootkit, the "keywords" file is created; this contains the words that must be sent to the search engine. Then, the site specified by the malicious user is displayed in search results. The Trojan uses JavaScript to fully emulate a user operating a search engine. This script is injected into the browser and simulates clicking on the corresponding links.
It contains a clicker functionality and visits sites specified in the "clkservers" parameter:
http://z0***1i0.com/
It displays pop-up windows, the server of which is listed in the "popupservers" parameter:http://clk***s66.com/
Rootkit's version number:3.273
Propagator's identifier:20694
Date and time when rootkit was created:13.07.2010 9:40
Žádné komentáře:
Okomentovat