BKDR_PLUGX.DUKPZ

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It arrives as a component bundled with malware/grayware packages.

It does not have any propagation routine.

It executes commands from a remote malicious user, effectively compromising the affected system. However, as of this writing, the said sites are inaccessible.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It arrives as a component bundled with malware/grayware packages.

Installation

This backdoor adds the following processes:

• %Program Files%\Internet Explorer\iexplorer.exe
• %System%\svchost.exe

(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\{random}
• JNuhUYgFTsssssss

It injects codes into the following process(es):

• created iexplorer.exe
• created svchost.exe

Propagation

This backdoor does not have any propagation routine.

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Copy, move, rename, delete files
• Create directories
• Create files
• Enumerate files
• Execute files
• Get drive information
• Get file information
• Open and modify files
• Log keystrokes and active window
• Enumerate TCP and UDP connections
• Enumerate network resources
• Set TCP connection state
• Lock workstation
• Log off user
• Restart/Reboot/Shutdown system
• Display a message box
• Perform port mapping
• Enumerate processes
• Get process information
• Terminate processes
• Enumerate registry keys
• Create registry keys
• Delete registry keys
• Copy registry keys
• Enumerate registry entries
• Modify registry entries
• Delete registry values
• Screen capture
• Delete services
• Enumerate services
• Get service information
• Modify services
• Start services
• Perform remote shell
• Host Telnet server
• Connect to a database server and execute SQL statement

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://{BLOCKED}roomimage.isasecret.com:443/{Hex Values}

However, as of this writing, the said sites are inaccessible.

Other Details

This backdoor requires the existence of the following files to properly run:

• {Current Malware Path}\FirefoxNotify.exe <- non-malicious, loads the dll component
• {Current Malware Path}\bz.stf <- malicious encrypted configuration, also detected as BKDR_PLUGX.DUKPZ

NOTES:

It does not have rootkit capabilities.

It does not exploit any vulnerability.