User Tools

Site Tools


goldun-haxspy-haxdoor

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

goldun-haxspy-haxdoor [2013/01/27 21:29] (current)
Line 1: Line 1:
 +====== Goldun/​Haxspy ======
 +
 +
 +===== General =====
 +**Method of propagation:​**
 +  * This is not a virus and does not contain any method to replicate. However this file may be downloaded by other viruses and/or Trojans to be installed on the user's system.
 +
 +**Platforms / OS:**
 +  * Windows 95
 +  * Windows 98
 +  * Windows 98 SE
 +  * Windows NT
 +  * Windows ME
 +  * Windows 2000
 +  * Windows XP
 +  * Windows 2003
 +
 +**Side effects:**
 +  * Drops malicious files
 +  * Registry modification
 +  * Steals information
 +
 +===== Files  =====
 +File:   ​Install.exe
 +Hash: 601b43c39f726d975f035cc98c146f99
 +
 +This trojan may have any of the standard icon like Microsoft Word Document or JPEG Image.
 +
 +The following files are created:
 +
 +– %SYSDIR%\wndtx1.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. 
 +Hash: bed399d56b82369eb7fb95caad16de04
 +Detected as: TR/​Dldr.Bolol.A.4,​ PWS-Goldun (Password Stealer trojan)
 +
 +– %SYSDIR%\ipudpb2.sys ​
 +Hash: 14ab6317620fb234c436f8114fab7f26
 +Detected as: TR/​Spy.Haxspy.AE,​ BackDoor-BAC.sys (Remote Access trojan)
 +
 +===== Registry ​ =====
 +The following registry keys are added:
 +
 +– [HKLM\SYSTEM\CurrentControlSet\Control]
 +  * "​isfr2"''"​[%random character string%[%current username% ]"
 +
 +– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
 +   ​wndtx1]
 +  * "​DllName"''​wndtx1.dll
 +  * "​Startup"''"​wndtx1"​
 +  * "​Impersonate"''​dword:​00000001
 +  * "​Asynchronous"''​dword:​00000001
 +  * "​MaxWait"''​dword:​00000001
 +
 +– [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2]
 +  * "​Type"''​dword:​00000001
 +  * "​Start"''​dword:​00000001
 +  * "​ErrorControl"''​dword:​00000000
 +  * "​ImagePath"''​\??​\%SYSDIR%\IPUDPB2.SYS
 +  * "​DisplayName"''"​IP2 UDPB2"
 +
 +– [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2\Security]
 +  * "​Security"''​%hex values%
 +
 +– [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2\Enum]
 +  * "​0"''"​Root\\LEGACY_IPUDPB2\\0000"​
 +  * "​Count"''​dword:​00000001
 +  * "​NextInstance"''​dword:​00000001
 +
 +
 +The following registry key is changed:
 +
 +– [HKLM\SYSTEM\CurrentControlSet\Control\Session Manager]
 +   Old value:
 +  * "​PendingFileRenameOperations"''​%hex values%
 +   New value:
 +  * "​PendingFileRenameOperations"''​%hex values% ​
 +
 +===== Backdoor ​ =====
 +**Contact server:**
 +The following:
 +  * !http://​www.salidol.biz/​********************
 +
 +As a result it may send information and remote control could be provided. This is done via the HTTP GET and POST method using a PHP script.
 +
 +**Sends information about:**
 +  * Current user
 +  * Collected information described in stealing section
 +  * Information about the Windows operating system
 +
 +===== Stealing ​ =====
 +It tries to steal the following information:​
 +– Passwords typed into '​password input fields'​
 +
 +– A logging routine is started after one of the following websites are visited:
 +  * !http://​www.e-gold.com
 +  * %any HTTPS website that contains a login form%
 +
 +– It captures:
 +  * Window information
 +  * Browser window
 +  * Login information
 +
 +===== Injection ​ =====
 +&#​8211; ​ It injects the following file into a process: %SYSDIR%\wndtx1.dll
 +
 +    All of the following processes:
 +  * iexplore.exe
 +  * %all processes started after malware is active in memory%
 +
 +===== Rootkit Technology ​ =====
 +It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.
 +
 +Hides the following:
 +
 +Method used:
 +  * Hidden from Windows API
 +
 +Hooks the following API functions:
 +  * NtCreateProcess
 +  * NtCreateProcessEx
 +  * ZwCreateProcess
 +  * ZwCreateProcessEx
 +
 +===== File details ​ =====
 +Runtime packer:
 +In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
 +  * FSG
 +
 +
 +-- Main.FredPettis - 26 Mar 2009
  
goldun-haxspy-haxdoor.txt ยท Last modified: 2013/01/27 21:29 (external edit)