BKDR_RUNAGRY

July 22, 2013
 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet

RUNAGRY is a backdoor containing typical backdoor capabilities like downloading arbitrary files and executing remote shell command. However, it focuses on advertisements for profit by installing browser helper objects (BHOs). BHOs are commonly used by adware. With this, users may experience unwanted pop-up advertisements and URL redirections.

This backdoor executes commands from a remote malicious user, effectively compromising the affected system.

It connects to certain websites to send and receive information.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Connects to URLs/IPs, Steals information

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Default} = "{Malware Path and File name}"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
{Default} = "{Malware Path and File name}"

Other System Modifications

This backdoor adds the following registry keys:

HKEY_CURRENT_USER\Software\{random}

It adds the following registry entries:

HKEY_CURRENT_USER\Software\{random}
lld = "{Date of Infection}"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

  • Access sites or redirect to other sites
  • Delete Browser Helper Object (BHO)
  • Download and execute arbitrary files
  • Extract files
  • Manage files/directories
  • Perform shell command
  • Register Browser Helper Object (BHO)

Information Theft

This backdoor injects itself into the following web browsers to monitor searches made by the user on the following search engines:

  • http://kr.altavista.com/web/results?
  • http://kr.search.yahoo.com/search?
  • http://kr.yahoo.com
  • http://search.11st.co.kr/searchprdaction.tmall?
  • http://search.daum.net/search?
  • http://search.msn.co.kr/results.aspx?
  • http://sp3.yousee.com
  • http://www.daum.net
  • http://www.google.co.kr/search?
  • http://www.microsoft.com

Other Details

This backdoor connects to the following website to send and receive information:

  • http://stop.{BLOCKED}denerror.com/log{number}.php?cpid={value}
  • http://stop.{BLOCKED}denerror.com/gnome.php?cpid={value}
  • http://404.{BLOCKED}ebsitedatabase.com/gnome.php?cpid={value}
  • http://{BLOCKED}0.com