POISONIVY

October 09, 2012
 ALIASES:

Poison, Inject, Darkmoon, Beasty, Injector

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet

POISONIVY, also known as POISON, is a popular Remote Administration Tool (RAT) backdoor available in the underground market. It has been in circulation for years. In more recent times, this family of backdoors have been seen in targeted attacks.

Similar to ZEUS and SPYEYE, POISONIVY has a toolkit/builder which can be purchased or downloaded from the underground forums selling such tools. The builder can be customized to cater to the needs of its buyers. Its variants can be configured to the any or all of the following:

  • Capture screen, audio, and webcam

  • List active ports

  • Log keystrokes

  • Manage open windows

  • Manage passwords

  • Manage registry, processes, services, devices, and installed applications

  • Perform multiple simultaneous transfers

  • Perform remote shell

  • Relay server

  • Search files

  • Share servers

  • Update, restart, terminates itself

Most POISONIVY malware are capable of copying itself into Alternate Data Stream, avoiding detection.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Connects to URLs/IPs

Installation

This backdoor drops the following files:

  • %System Root%\asf
  • %Application Data%\2019\BG.bat.lnk
  • %Application Data%\2019\Pr0c3xp.lnk
  • %Application Data%\2019\Tcpview.lnk

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It drops the following copies of itself into the affected system:

  • %Application Data%\2019\svchost .exe
  • %User Profile%\Local Settings\FastUserSwitchingCompatibility.exe
  • %System%\2019\svchost .exe
  • %User Startup%\wuauclt.exe
  • {malware path}\{malware name}.exe
  • %System%:netmansykey.exe - Alternate Data Stream (ADS) copy
  • %System%:sysfilevpn.exe - Alternate Data Stream (ADS) copy
  • %System%:GoogleLive.exe - Alternate Data Stream (ADS) copy
  • %System%:systemPErro.exe - Alternate Data Stream (ADS) copy
  • %System%:mcarmy.exe - Alternate Data Stream (ADS) copy
  • %System%:msfullcomen.exe - Alternate Data Stream (ADS) copy
  • %System%:msjbvpncon.exe - Alternate Data Stream (ADS) copy
  • %System%:mskeypro.exe - Alternate Data Stream (ADS) copy
  • %System%:mssendfull.exe - Alternate Data Stream (ADS) copy

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

It creates the following folders:

  • %System Root%\dfed
  • %Application Data%\2019
  • %System%\2019

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
adobe = "{malware path}\{malware name}.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Google LiveUpdates = "%System%:GoogleLive.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
FastUserSwitchingCompatibility = "%User Profile%\Local Settings\FastUserSwitchingCompatibility.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{6E9647F9-B5DB-BD95-B627-79E92947CF09}
StubPath = "%System%:netmansykey.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{0082ABF9-9309-614B-C2DD-C00CC33A8073}
StubPath = "%System%:mssendfull.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{9E41174A-B99F-F49D-5CD0-0EF87DF3A162}
StubPath = "%System%:msjbvpncon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{2580E7A2-880C-351F-B4DC-8320A4AB551C}
StubPath = "%System%:mskeypro.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{343F94C0-7BF8-95A0-9892-DE5C539F2AF8}
StubPath = "%System%:msfullcomen.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{180DA249-E241-D1EA-A5D6-E400EFEC204F}
StubPath = "%System%:mcarmy.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{014B0426-0DD3-D064-ED11-840B72A6498C
StubPath = "%System%:sysfilevpn.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{107D84CE-A965-12B5-A884-16BB63414DF0}
StubPath = "%System%:systemPErro.exe"

Other System Modifications

This backdoor adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications

HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications

HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\
Recent File List

HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\
Settings

HKEY_CURRENT_USER\Software\ations

HKEY_CURRENT_USER\Software\ations\
Recent File List

HKEY_CURRENT_USER\Software\ations\
Settings

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Shell Folders
Startup = "%System%\2019"

(Note: The default value data of the said registry entry is %User Startup%.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
User Shell Folders
Startup = "%System%\2019"

(Note: The default value data of the said registry entry is %User Startup%.)

Other Details

This backdoor connects to the following possibly malicious URL:

  • abianshabi.{BLOCKED}s.com
  • army.{BLOCKED}z.com
  • cs.{BLOCKED}k.com
  • endless.{BLOCKED}o.org
  • fbi.{BLOCKED}s.com
  • jp.{BLOCKED}n.com
  • owl.{BLOCKED}n.com
  • pansenes.{BLOCKED}2.org
  • send.{BLOCKED}00.com
  • teadaye.{BLOCKED}s.net
  • tibet.{BLOCKED}s.com
  • tw.{BLOCKED}arleft.com