BKDR_SYKIPOT
Wkysol, Sykipot_gen
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware
First SYKIPOT variants were spotted in 2007. These backdoors are usually dropped by other malware exploiting vulnerabilities.
SYKIPOT backdoors steal the following information, which it sends to its C&C server:
- Active network connections
- Adapter information
- System information (OS, processor, bios version, time zone, memory, etc)
SYKIPOT is being implicated in targeted attacks. Its variants mask connections to its supposed C&C servers. The C&C servers are usually hacked web servers where proxies are placed.
TECHNICAL DETAILS
Yes
Connects to URLs/IPs, Steals information
Installation
This backdoor drops the following files:
- %User Profile%\Local Settings\gtpretty.tmp
- %User Profile%\Local Settings\gdtpretty.tmp
- %User Profile%\Local Settings\ptpretty.tmp
- %User Profile%\Local Settings\pdtpretty.tmp
- %User Profile%\Local Setiings\gthelp.tmp
- %User Profile%\Local Setiings\gdthelp.tmp
- %User Profile%\Local Setiings\pthelp.tmp
- %User Profile%\Local Setiings\pdthelp.tmp
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
It drops the following file(s)/component(s):
- %User Profile%\Local Settings\WSE4EF1.TMP
- %User Profile%\Local Settings\mshelp.tmp
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
It drops the following copies of itself into the affected system:
- %User Profile%\Local Settings\pretty.exe
- %User Profile%\Local Settings\help.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
office = "%User Profile%\Local Settings\pretty.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
start = "%User Profile%\Local Settings\help.exe"
Other Details
This backdoor connects to the following possibly malicious URL:
- https://www.{BLOCKED}her.com/asp/kys_allow_get.asp?name=getkys.kys&hostname={computer name}-{ip address}-pretty20111122
- https://help.{BLOCKED}advocator.com/asp/kys_allow_get.asp?name=getkys.kys&hostname={computer name-{ip address}-help20110908
NOTES: