BKDR_HACKDOOR.BB

This backdoor arrives as a file that exports the functions of other malware/grayware. It arrives as a component bundled with malware/grayware packages.

It does not have any propagation routine.

It executes commands from a remote malicious user, effectively compromising the affected system.

It requires its main component to successfully perform its intended routine.

Arrival Details

This backdoor arrives as a file that exports the functions of other malware/grayware.

It arrives as a component bundled with malware/grayware packages.

Installation

This backdoor drops the following file(s)/component(s):

• %System%\drivers\dump_En.sys - deleted afterwards
• %System%\drivers\dump_.sys - deleted afterwards

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\SystemTime0
• Global\SystemTime2

Autostart Technique

This backdoor starts the following services:

• IPFILTERDRIVER
• dump_

Other System Modifications

This backdoor adds the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_IPFILTERDRIVER

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_IPFILTERDRIVER\
0000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_IPFILTERDRIVER\
0000\Control

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IpFilterDriver\Enum

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IpFilterDriver

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\dump_

It adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_IPFILTERDRIVER
NextInstance = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_IPFILTERDRIVER\
0000
Service = "IpFilterDriver"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_IPFILTERDRIVER\
0000
Legacy = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_IPFILTERDRIVER\
0000
ConfigFlags = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_IPFILTERDRIVER\
0000
Class = "LegacyDriver"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_IPFILTERDRIVER\
0000
ClassGUID = {GUID}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_IPFILTERDRIVER\
0000\Control
NewlyCreated* = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_IPFILTERDRIVER\
0000\Control
ActiveService = "IpFilterDriver"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\dump_
Type = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\dump_
Start = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\dump_
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\dump_
DisplayName = "dump_"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IpFilterDriver\Enum
0 = "Root\LEGACY_IPFILTERDRIVER\0000"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IpFilterDriver\Enum
Count = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IpFilterDriver\Enum
NextInstance = "1"

Propagation

This backdoor does not have any propagation routine.

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Manage Files (Search, Execute, Delete, Copy, Move)
• Manage Registries (Search, Delete, Create)
• Manage Processes (Open, Terminate)
• Manage Services (Query, Start)
• Manage Windows
• Manage Directories
• Shut Down Computer
• Download Files

Download Routine

This backdoor downloads a possibly malicious file from a certain URL. The URL where this malware downloads the said file depends on the parameter passed on to it by its components.

Information Theft

This backdoor gathers the following data:

• OS Version
• Host Name
• Computer Name
• IP Address

Other Details

This backdoor requires its main component to successfully perform its intended routine.

NOTES:

It does not have rootkit capabilities.

It does not exploit any vulnerability.