Rbot
Platform: Win32
Type: Backdoor
Size: 340974 bytes
Packer: unknown
Unpacked size: 639 Kb
Language: C++
MD5: df2436b584808064ddf4788b04f215f3
SHA1: 69c65c7e75d275fd8d0783d84d50cd7d6933d335
Aliases: Trojan.Win32.Ircbrute, Backdoor:Win32/Rbot, Backdoor.Win32.DarkKomet
Summary
Rbot is a Trojan program which allows an attacker remote access to the compromised system. Rbot is a component of "rundat.exe" downloaded by another malicious program Blazebot from FTP server:
jayne.p0rn-lover.us:8989
File compilation date is 30.06.2013:
During the investigation, the "rundat.exe" was downloaded with the following MD5 hashes:
7d6a4a7924bccc6537fc643e2f956c36 is detected as Trojan.Win32.Ircbrute by Ad-Aware Antivirus. Compilation date is 19.06.2013.
c7c7345bb0c0e14a9b6b937fc7ebb2fd is detected as Trojan.Win32.Generic!BT. Compilation date is 07.07.2013.
cb46ce95ad089c540b4e02daeb192e6f is detected as Trojan.Win32.Ircbrute. Compilation date is 04.07.2013.
The last "rundat.exe" file modification was received from the FTP server, MD5: ef484d123cecaa3744774187dd120164. Compilation date is 15.07.2013, almost no files are detected:
All files have identical functionality. To evade detection by antivirus programs, attackers use the Mutation Engine and periodically upload updates for the backdoor executable file.
Technical Details
Installation
Once activated, the backdoor copies itself to the system folder under a randomly generated name:
%System%\<rnd>.exe
Date and time set for the backdoor copy is the same as for the "explorer.exe" file.
"Read-only" and "Hidden" attributes are then applied to the file.
To be automatically launched upon each Windows startup the backdoor adds a link to its executable file in the system registry keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Supports RAS Connections" = "%System%\<rnd>.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Supports RAS Connections" = "<rnd>.exe"
[HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
"Supports RAS Connections" = "<rnd>.exe"
[HKLM\Software\Microsoft\yOLE]
"Supports RAS Connections" = "<rnd>.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Supports RAS Connections" = "%System%\<rnd>.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Supports RAS Connections" ="<rnd>.exe"
[HKCU\SYSTEM\CurrentControlSet\Control\Lsa]
"Supports RAS Connections" = "<rnd>.exe"
[HKCU\Software\Microsoft\yOLE]
"Supports RAS Connections" = "<rnd>.exe"
where <rnd> is a random sequence of the Latin alphabet letters (for example, "bjxfdcz" or "jqoglul").
Payload
To ensure the uniqueness of the malware process’ name, the Trojan creates a unique identifier with the following name:
LIQUID
The backdoor connects to the IRC server:
videos.p0rn-lover.us:6667
Once connected to the server, the backdoor uses a specially created NICK which depends on the locale of the compromised system, random digits which depend on the amount of time passed since the system startup, and the availability of the window with the "mIRC" class name on the system.
Once successfully connected to the C&C server, the backdoor joins the following channel to receive commands:
#fkyou#
The server is located in the United States:
When the description was created, the backdoor received commands to download another malicious program:
The file is downloaded from the following URL:
hxxp://www.dropbox.com/s/eysw6hxovddeau5/nn.exe?dl=1
The file is 262736 bytes in size, MD5: 04d32029a7e277222a5c48c432b23b26. It is a malicious program known as NrgBot. It is detected by Ad-Aware Antivirus as Worm.Win32.Dorkbot, compilation date is 04.07.2013.
The downloaded file is then saved to the root Windows folder under the name "system.exe":
%WinDir%\system.exe
Once successfully downloaded, the file is launched for execution.
While investigating, the C&C server sent commands to download NrgBot malware using the following URLs:
hxxp://www.dropbox.com/s/a4gaze3j44i5b19/n.exe?dl=1
hxxp://www.dropbox.com/s/3oqkk0kmn11qo52/n.exe?dl=1
The file is 243488 bytes in size, MD5:e9de715aebb1724efb666b68682e17b2 and is detected by Ad-Aware Antivirus as Worm.Win32.Dorkbot. Compilation date is 04.07.2013.
hxxps://www.dropbox.com/s/7j355a8pnz8fbcm/nr.exe?dl=1
The file is 263760 bytes in size, MD5:9cef91d3c589d3221ba4a382cdd8eefa, is detected by Ad-Aware Antivirus as Worm.Win32.Dorkbot. Compilation date is 09.07.2013.
Mutation Engine use allows attackers to effectively evade antivirus detections:
The backdoor performs the following actions following attacker’s commands:
- Start a remote shell and run commands.
- Send SYN flood to the target system. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to the target system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
- Send ACK flood to the target system. A denial of service attack that sends a large number of TCP packets with the ACK flag set to a target.
- Download the other malicious program.
- Redirect TCP traffic.
- Upload files through FTP.
- End threads.
- Launch TFTP server.
- Perform a DNS look-up.
- Send clipboard data.
- Visit URLs specified by an attacker.
- Delete files specified by an attacker.
- Scan for ports on the network.
- Send e-mail.
- Send network configuration information.
- Send thread list.
- Send clipboard data.
- Perform commands specified by an attacker using Internet Relay Chat client mirc, if it is installed on the compromised system.
- Delete its body using a file of the command interpreter which is saved to the current user's Windows temporary folder under the following name:
%Temp%<rnd1>sdel.bat
where <rnd> is a random sequence of the Latin alphabet letters.
- The backdoor also listens on TCP port 113 which is required by some IRC servers.
This backdoor may also attempt to connect to SQL servers by attempting to log in using commonly used passwords. Once connected, it may instruct the server to download and run a copy of itself via TFTP.
Below is a list of frequently used logins and passwords which are hardcoded in the malware.
Logins:
administrator
administrador
administrateur
administrat
admins
admin
staff
root
computer
owner
student
teacher
wwwadmin
guest
default
database
dba
oracle
db2
Passwords:
|
administrator |
bill |
Nrgbot
Nrgbot downloaded by the backdoor is saved to the "%WinDir%\system.exe" file and after launch connects to the same IRC server:
It then joins the following channel:
#nrz#
and receives commands to download files to the compromised computer:
Files are downloaded from the following URLs:
hxxp://www.dropbox.com/s/z2bevmalyco39ap/rep.exe?dl=1
The file is 234576 bytes in size, MD5: b027d16320803018b0602c1d32a09570, detected by Ad-Aware Antivirus as Trojan.Win32.Generic!BT. Compilation date is 07.07.2013. It is a malware, Blazebot:
hxxp://www.dropbox.com/s/6etxnj97npjpyq8/van.exe?dl=1
The file is 661869 bytes in size, MD5:02d0587c38f896e07a5cd351c04dbcb, detected by Ad-Aware Antivirus as Trojan.Win32.Generic!BT. Compilation date is 09.06.2012. The program is designed to generate bitcoins.
The files are then saved to the current user's Windows temporary under a randomly generated name:
%AppData%\<rnd2>.exe
where <rnd2> is a random hexadecimal digit.
A module to generate bitcoins is installed to the following hidden folder:
%WinDir%\system\critical\btc.il (151652 bytes)
%WinDir%\system\critical\phatk.ptx (206858 bytes)
%WinDir%\system\critical\phatk.cl (9741 bytes)
%WinDir%\system\critical\system.exe (54784 bytes)
%WinDir%\system\critical\usft_ext.dll (939264 bytes)
%WinDir%\system\critical\btc-evergreen.il (84967 bytes)
%WinDir%\system\critical\antivirus.bat (79 bytes)
%WinDir%\system\critical\miner.dll (340992 bytes)
%WinDir%\system\critical\guicomp.dll (33792 bytes)
%WinDir%\system\critical\sys.bat (345 bytes)
%WinDir%\system\critical\nircmd.exe (43520 bytes)
%WinDir%\system\critical\coinutil.dll (29184 bytes)
It is launched with a command:
system.exe -o hxxp://hitmanuk_pran:[email protected]:8332 -g yes -I 100
This causes CPU usage to increase:
To automatically launch the bitcoin generator, the following key is created:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "C:\Windows\system\critical\antivirus.bat
A description of Rbot generated by our automated malware analysis system can be found here.
Conclusion
Three IRC bots: Rbot, Nrgbot, Blazebot are apparently under the control of the same operator. Following attacker’s commands, Rbot downloads Nrgbot. In turn, Nrgbot downloads Blazebot. Blazebot downloads Rbot. Thus, each IRC bot downloads a bot being controlled by an attacker. Bots help each other to keep the system permanently infected. Attackers use the Mutation Engine to generate new versions of malicious programs which complicates the removal of three IRC bots at a time from the compromised system.
Two C&C servers have been detected from which commands can be received by Nrgbot (channel #nrz#), Rbot(channel #fkyou# ), Blazebot (channel ##TBT), and auto-join channel "#Security-Check" for all bots:
178.33.232.15
146.82.5.222
Using Internet Relay Chat client Mirc and being connected to C&C servers, it is possible to track the current commands bots receive. When the description was created, the same commands were received from two servers:
When the description was created, a link to download a module for generating bitcoins was received in the "#Security-Check" channel.
Below is a scheme how the bots work:
Removal Recommendations
- Follow recommendations to remove Nrgbot and Blazebot without restarting PC.
- Delete parameters of the registry keys("How to Work with System Registry"):
- Reboot the computer.
- Delete the following files:
- Delete the original malware file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
- Clean the Temporary Internet Files folder, which contains infected files ("How to clean Temporary Internet Files folder").
- Run a full scan of your computer using the Antivirus program with the updated definition database ("Download Ad-Aware Free").
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Supports RAS Connections" = "%System%\<rnd>.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Supports RAS Connections" = "<rnd>.exe"
[HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
"Supports RAS Connections" = "<rnd>.exe"
[HKLM\Software\Microsoft\yOLE]
"Supports RAS Connections" = "<rnd>.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Supports RAS Connections" = "%System%\<rnd>.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Supports RAS Connections" ="<rnd>.exe"
[HKCU\SYSTEM\CurrentControlSet\Control\Lsa]
"Supports RAS Connections" = "<rnd>.exe"
[HKCU\Software\Microsoft\yOLE]
"Supports RAS Connections" = "<rnd>.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Windows Update" = "C:\Windows\system\critical\antivirus.bat
%System%\<rnd>.exe
%WinDir%\system.exe
%AppData%\<rnd2>.exe
%WinDir%\system\critical\btc.il
%WinDir%\system\critical\phatk.ptx
%WinDir%\system\critical\phatk.cl
%WinDir%\system\critical\system.exe
%WinDir%\system\critical\usft_ext.dll
%WinDir%\system\critical\btc-evergreen.il
%WinDir%\system\critical\antivirus.bat
%WinDir%\system\critical\miner.dll
%WinDir%\system\critical\guicomp.dll
%WinDir%\system\critical\sys.bat
%WinDir%\system\critical\nircmd.exe
%WinDir%\system\critical\coinutil.dll
