Detailed information about the Trojan, its propagation, and mitigation are in the following sections:

Size: px

Start display at page:

Download "Detailed information about the Trojan, its propagation, and mitigation are in the following sections:"

Joy Lyons
8 years ago
Views:

1 Summary McAfee Labs Threat Advisory BackDoor-FJW May 10, 2013 BackDoor-FJW is detection for Trojan that receives commands from an attacker to access the infected machine and to download other payloads. They have inbuilt module to steal stored passwords, cache and cookies from the different applications. They are also written to steal stored server names, port numbers, login IDs and passwords from the below mentioned FTP clients application. Backdoor-FJW is known to download several families, including Zbot, Ransomware, W32/Autorun.worm.aaeh and ZeroAccess. Detailed information about the Trojan, its propagation, and mitigation are in the following sections: Infection and Propagation Vectors Characteristics and Symptoms Restart Mechanism Getting Help from the McAfee Foundstone Services team Infection and Propagation Vectors Backdoor-FJW is usually used as the initial infection vector for other malware campaigns. The most common method of entry is via spam sent with the file attached as a ZIP file, or containing a link to download the file. Some of the spam s we seen carrying BackDoor-FJW come with the following file names: form_ zip trusteer rapport install_ zip Payment Advice [B42{_hsbs ref}] fax_id{digit[30]}.exe key_secure_message.exe fax00001{digit[4]}.exe Case_Fiserv.exe Characteristics and Symptoms Description Upon execution the Trojan connects to the following URLs: hxxp://ht[removed]/ponyb/gate.php hxxp://bi[removed]/ponyb/gate.php hxxp://23.my[removed]/ponyb/gate.php hxxp://24.ce[removed]/ponyb/gate.php hxxp://ww{removed]b.exe hxxp://ni[removed]r.exe hxxp://bm[removed]y.exe hxxp://ww[removed4x.exe hxxp://g-w[removed]rz.exe [Removed] [Removed] [Removed.149 hxxp:// :8080/ponyb/gate.php hxxp://fatbanking.com/ponyb/gate.php hxxp://fractora.com/ponyb/gate.php hxxp://fractoracenter.com/ponyb/gate.php hxxp:// hxxp://hypnosolutionscd.com/n5c.exe

They are also written to steal stored server names, port numbers, login IDs and passwords from the below mentioned FTP clients application.

2 hxxp://ftp.tcmls.org/qraqev.exe hxxp://ftp.lithotipiki.gr/uhk2u.exe BackDoor-FJW drops the downloaded malware and executes it. They are seen to drop Zbot samples with random file name in %random folder% under Application Data folder like this one below: C:\Documents and Settings\username\Application Data\Wayw\qyixe.exe It may also download and execute other malware families like ZeroAccess, Ransomware, and W32/Autorun.worm.aaeh BackDoor-FJW also injects malicious threads into different running processes in the victim's machine. It injects its thread in the address space of Explorer.exe, bypasses the Firewall and connects to a remote site. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolic y\standardprofile\authorizedapplications\list\c:\windows\explorer.exe: "C:\WINDOWS\explorer.exe:*:Disabled:Windows Explorer" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolic y\standardprofile\authorizedapplications\list\c:\windows\explorer.exe: "C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer" These changes will cause the Windows firewall to allow any connection originating from the process Explorer.exe to go through without warning the current user. Since Backdoor-FJW injects threads into this process, it does that to be able to connect to malicious sites without warning the user. The Trojan steals stored passwords, cache and cookies from the following applications: Opera Firefox Internet Explorer Google Chrome Windows Live Mail K-Meleon Epic Thunderbird Bromium Nichrome Comodo RockMelt Visicom Media Chromium Global Downloader NetSarang Cyberduck Pocomail BatMail NCH Software ExpanDrive Cryer Fling Martin Prikryl The Trojan steals stored server names, port numbers, login IDs and passwords from the following FTP clients: Robo-FTP 3.7 LinasFTP NovaFTP LeechFTP SFTP LeapFTP

exe It may also download and execute other malware families like ZeroAccess, Ransomware, and W32/Autorun.worm.

3 FTPVoyager ClassicFTP FTPClient FTP Explorer VanDyke FTPRush FFFTP FTPHost Ghisler BlazeFtp BulletProof FTP FileZilla PuTTY FlashFXP CuteFTP 6,7,8 CuteFTP Lite CuteFTP Pro Once executed, the Trojan attempts to connect to the Administrator account on the remote machine. The Trojan uses the following passwords to brute force the account:

Pro Once executed, the Trojan attempts to connect to the Administrator account on

4 Fig 1. List of Passwords tried by malwares

5 Mitigation Users are requested to exercise caution while opening unsolicited messages and unknown links. Users are advised to update Windows patches and virus definitions on a regular basis. Restart Mechanism Description The following registry entry confirms that the Trojan executes every time when windows starts: HKEY_Users\SID\Software\Microsoft\Windows\CurrentVersion\Run\{CLSID}: ""C:\Documents and Settings\ username\application Data\Random_Folder\Random_fileName.exe"" Getting Help from the McAfee Foundstone Services team This document is intended to provide a summary of current intelligence and best practices to ensure the highest level of protection from your McAfee security solution. The McAfee Foundstone Services team offers a full range of strategic and technical consulting services that can further help to ensure you identify security risk and build effective solutions to remediate security vulnerabilities. You can reach them here: McAfee, Inc. All rights reserved.

$""C:\Documents and Settings\ username\application Data\Random_Folder\Random_fileName.$

McAfee Labs Threat Advisory W32/Autorun.worm.aaeb-h

Summary McAfee Labs Threat Advisory W32/Autorun.worm.aaeb-h August 9, 2013 W32/Autorun.worm.aaeb-h has the ability to infect removable media devices, as well as mounted network shares. Infection starts