ALIASES:

Kuluoz, Fakeavlock, Zortob

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

KULUOZ is a part of a well-known botnet and was first seen in the wild around April to June of 2012. Most of KULUOZ malware are disguised as.TXT or .DOC files to make them appear legitimate.

Upon execution, it opens the dropped non-malicious .TXT file in order to hide its malicious routines from the user.

This malware also communicates to its command-and-control (C&C) server to send and receive information and commands.

This backdoor executes commands from a remote malicious user, effectively compromising the affected system.

It deletes itself after execution.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Drops files

Installation

This backdoor drops the following files:

  • {Malware Path and Filename}.txt

It drops the following copies of itself into the affected system:

  • %Application Data%\{random}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It adds the following processes:

  • Svchost.exe

It injects codes into the following process(es):

  • Created svchost.exe

Other System Modifications

This backdoor adds the following registry keys:

HKEY_CURRENT_USER\SOFTWARE\{random}

It adds the following registry entries:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random} = "%Application Data%\{random}.exe"

HKEY_CURRENT_USER\SOFTWARE\{random}
{random} = "{hex values}"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

  • idl- Sleep / Idle
  • run- Download and execute arbitrary file
  • rem- Uninstall itself
  • rdl- Update copy of injected code in svchost and add encrypted code to registry
  • upd- Update copy of main malware
  • red- Check latest malware version

Other Details

This backdoor connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.66.217:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.16.68:60000/{generated value}
  • http://{BLOCKED}.{BLOCKED}.203.58:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.103.54:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.156.180:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.132.24:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.224.202:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.112.7:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.63.194:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.178.174:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.131.132:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.189.234:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.241.208:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.60.166:60000/{generated value}
  • http://{BLOCKED}.{BLOCKED}.145.174:6667/{generated value}
  • http://{BLOCKED}.{BLOCKED}.10.68:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.220.148:60000/{generated value}
  • http://{BLOCKED}.{BLOCKED}.81.166:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.115.171:60000/{generated value}
  • http://{BLOCKED}.{BLOCKED}.49.145:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.248.152:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.204.228:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.159.166:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.22.146:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.22.38:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.50.161:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.89.231:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.20.202:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.22.146:8080/{generated value}
  • http://{BLOCKED}.{BLOCKED}.20.202:8080/{generated value}

It deletes itself after execution.