GHOSTRAT
Farfli, Palevo, Redosdru, KeyLogger, Swisyn
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware
GHOSTRAT is a family of backdoors, or more accurately, remote administration tools (RATs), used to gain control of the computer it infects. It is affiliated with GhostNet bot network.
It steals information by logging keystrokes. The information it steals are usually system-related information such as operating system version and processor speed. All data are then communicated back to C&C servers operated by GhostNet.
TECHNICAL DETAILS
Yes
Connects to URLs/IPs, Steals information
Installation
This backdoor drops the following file(s)/component(s):
- %System%\ctfmon1.exe
- %System%\360SP2.dll
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It drops the following copies of itself into the affected system:
- %System Root%\Documents and Settings\All Users\Start Menu\Programs\Startup\Ball.exe
- %Windows%\Ball.exe
- %Windows%\Temp\zk.exe
- %Windows%\XXXXXXD0F7D4A7\svchsot.exe
- %Windows%\Ball.exe
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
It creates the following folders:
- %Windows%\XXXXXXD0F7D4A7
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Ball = "%Windows%\Ball.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
XXXXXXD0F7D4A7 = "%Windows%\XXXXXXD0F7D4A7\svchsot.exe"
Other System Modifications
This backdoor adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SYSTEM\InfoTime
InfoTime = "{malware executed - yyyymmmdd}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Ball
Group = "{characters}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_MICROSOFT_MADMIN
NextInstance = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_MICROSOFT_MADMIN\
0000
Service = "Microsoft Madmin"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin
ImagePath = "%System%\svchost.exe -k netsvcs"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin
DisplayName = "Microsoft Device Manager"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin\Parameters
ServiceDll = "%System%\360SP2.dll"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin\Security
Security = "{hex values}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin\Enum
0 = "Root\LEGACY_MICROSOFT_MADMIN\0000"
It adds the following registry keys as part of its installation routine:
HKEY_LOCAL_MACHINE\SYSTEM\InfoTime
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Ball
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_MICROSOFT_MADMIN
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_MICROSOFT_MADMIN\
0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin\Security
Other Details
This backdoor connects to the following possibly malicious URL:
- wxhdxx.{BLOCKED}2.org
- jinfo106.{BLOCKED}1.org
- jinfo106.{BLOCKED}ood.com
- jinfo106.{BLOCKED}k.com
- baobao52100.{BLOCKED}2.org
- {BLOCKED}.{BLOCKED}.161.101:100