BKDR_KELIHOS.KLP

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops and executes the following files:

• %Desktop%\tmp.exe

(Note: %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
NetworkInformer = "{malware path and file name}"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Request spam email messages structure and template
• Send spam email messages
• Send stolen information
• Get operating system information
• Get drive information
• List running processes
• Download and execute arbitrary files
• Update server with a list of compromised computers
• Manage registry
• Download updated copy of itself

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {random IP addresses}

Information Theft

This backdoor gathers the following data:

• Network traffic information
• Login credentials from FTP, POP3 and SMTP traffic
• Bitcoins

It attempts to steal stored account information used in the following installed File Transfer Protocol (FTP) clients or file manager software:

• 32bit FTP
• 3DFTP
• ALFTP
• BitKinex
• Blaze
• BulletProof
• Classic FTP
• CoffeeCup
• Core FTP
• CuteFTP
• CyberDuck
• Deluxe
• Directory Opus
• ExpanDrive
• FFFTP
• FileZilla
• FlashFXP
• FreeFTP/DirectFTP
• Frigate3
• FTP Control
• FTP Explorer
• FTPGetter
• FTPRush
• Global Downloader
• IE
• LeapFTP
• Leech
• Linas
• MyFTP
• NetDrive
• NetFile
• Nexus
• Notepad++
• NovaFTP
• Putty
• Robo
• SecureFX
• Sherrod
• SmartFTP
• SoftX FTP Client
• Staff
• TFTPInfo
• Total Commander
• TurboFTP
• WebDrive
• WebSitePublisher
• Whisper/Surfer
• WinSCP
• WISE
• XFTP

It gathers the following account information from any of the mentioned File Transfer Protocol (FTP) clients or file manager software:

• Server Name
• User Name
• Password
• Directory
• Port

It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:

• Bromium
• ChromePlus
• Chromium
• Comodo
• CoolNovo
• Epic Browser
• Flock Browser
• Google Chrome
• K-Meleon
• Mozilla Firefox
• MozSuite
• Nichrome
• RockMelt
• SeaMonkey
• Yandex

NOTES:

This backdoor modifies its file attributes to Read-only and Hidden after execution.

The auto-run registry, {random parameter 1} can be any of the following:

• Network
• Time
• CrashReport
• Database
• Icon
• Desktop
• Tray
• Video
• Media

The auto-run registry, {random parameter 2} can be any of the following:

• Checker
• Informer
• Notifyer
• Saver
• Updater
• Verifyer
• For example:
• NetworkVerifyer
• TrayNotifyer
• CrashReportUpdater

This backdoor uses peer-to-peer (P2) network communication to get the IP addresses to use then it adds the following web sources:

• file.htm
• main.htm
• install.htm
• setup.htm
• search.htm
• default.htm
• online.htm
• start.htm
• login.htm
• welcome.htm
• home.htm
• index.htm

It saves its updated copy using the following file names:

• acrord32
• agent
• alg
• ati2evxx
• avguard
• bar
• batch
• block
• ccapp
• ccevtmgr
• ccsetmgr
• convert
• decompile
• defwatch
• dit
• download
• dwm
• edit
• em_exec
• explorer
• extract
• ezsp_px
• fire
• fix
• fox
• gearsec
• hkcmd
• hkcr
• htpatch
• ielowutil
• ieuser
• iexplore
• igfxtray
• isuspm
• java
• jqs
• jucheck
• jusched
• khalmnpr
• klwtblfs
• lame
• launch
• lsass
• lucoms
• mac
• mcshield
• mcvsescn
• msascui
• mscorsvw
• mspmspsv
• naprdmgr
• navapsvc
• nprotect
• ntvdm
• nvsvc32
• nvxdsync
• nwiz
• pctspk
• pdvddxsrv
• play
• point32
• qbw32
• qttask
• rename
• run
• rundll32
• services
• side
• smc
• spoolsv
• svchost
• taskman
• terraria
• toaster
• trustedinstaller
• unhide
• unpack
• unzip
• update
• upgrade
• uptime
• view
• vsmon
• webscanx
• winlogon
• wisptis
• wmpnetwk
• wmpnscfg
• xsd
• zcfgsvc
• zip
• zumodrive

The downloaded files' folder depends on the Download backdoor command.

It uses WinPcap, a legitimate and commonly used Windows packet capture library, to monitor the infected computer's network activities. It does this by dropping and installing the following non-malicious files:

• %System%\packet.dll
• %System%\wpcap.dll
• %System%\drivers\npf.sys

It exchanges encrypted messages with a remote server via HTTP protocol (TCP port 80). It uses the following crafted User-Agent when communicating with the remote host:

• Mozilla/5.0 (Windows NT 5.1) Gecko/20100101 Firefox/14.0 Opera/12.0
• Opera/9.80 (Windows NT 5.1; U; zh-sg) Presto/2.9.181 Version/12.00
• Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00
• Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0) Opera 12.14
• Mozilla/5.0 (Windows NT 6.0; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.14
• Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14
• Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; da-dk) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1
• Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; de-at) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1
• Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3
• Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10
• Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.13+ (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
• Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25
• Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; chromeframe/12.0.742.112)
• Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7)
• Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0)
• Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
• Mozilla/1.22 (compatible; MSIE 10.0; Windows 3.1)
• Mozilla/4.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
• Mozilla/5.0 (compatible; MSIE 10.0; Macintosh; Intel Mac OS X 10_7_3; Trident/6.0)
• Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/4.0; InfoPath.2; SV1; .NET CLR 2.0.50727; WOW64)
• Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
• Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
• Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
• Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0
• Mozilla/5.0 (Windows NT 5.0; rv:21.0) Gecko/20100101 Firefox/21.0
• Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
• Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20130331 Firefox/21.0
• Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20130401 Firefox/21.0
• Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20100101 Firefox/21.0
• Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20130328 Firefox/21.0
• Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20130401 Firefox/21.0
• Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
• Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130330 Firefox/21.0
• Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130331 Firefox/21.0
• Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130401 Firefox/21.0
• Mozilla/5.0 (Windows NT 6.2; rv:21.0) Gecko/20130326 Firefox/21.0
• Mozilla/5.0 (X11; Linux i686; rv:21.0) Gecko/20100101 Firefox/21.0
• Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0
• Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20130331 Firefox/21.0
• Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20130405 Firefox/22.0
• Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:22.0) Gecko/20130328 Firefox/22.0
• Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1464.0 Safari/537.36
• Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1467.0 Safari/537.36
• Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36
• Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.2 Safari/537.36
• Mozilla/5.0 (compatible; MSIE 9.0; AOL 9.7; AOLBuild 4343.19; Windows NT 6.1; WOW64; Trident/5.0; FunWebProducts)
• Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Acoo Browser 1.98.744; .NET CLR 3.5.30729)

This backdoor sends spam email messages using Simple Mail Transfer Protocol (SMTP) connection. It harvests email addresses from the affected computer's local drive.