BKDR_SIMDA
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
SIMDA is a family of backdoors capable of stealing information such as user names, passwords, and certificates. It steals information via its keylogging and HTML injection routines. It also executes backdoor commands, compromising the security of the infected systems. The following are the backdoor commands executed by SIMDA variants:
- Disable operating system by modifying or deleting system files
- Activate/deactivate itself
- Inject scripts to a visited webpage
- Disable the infected system by deleting critical registry keys
- Download and execute arbitrary files
- Download updated configuration file
- Upload files
- Run or terminate applications
- Delete files
- Modify system settings
- Steal certificates
Another notable behavior of SIMDA is its ability to terminate itself when executed on a virtual environment. It also terminates antivirus-related processes to avoid detection and removal. In addition, it logs on the infected system as administrator by using a list of passwords.
TECHNICAL DETAILS
Installation
This backdoor drops the following copies of itself into the affected system:
- %Windows%\AppPatch\{random}.exe
- %Windows%\AppPatch\{random}.dat
(Note: %Windows% is the Windows folder, which is usually C:\Windows.)
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
b0b2d6e3 = "%Windows%\apppatch\{random}.dat"
It modifies the following registry entries to ensure it automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe, %Windows%\apppatch\{random}.exe,"
(Note: The default value data of the said registry entry is %System%\userinit.exe,.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe, %Windows%\AppPatch\{random}.dat,"
(Note: The default value data of the said registry entry is %System%\userinit.exe,.)
Other System Modifications
This backdoor adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
b0b2d6e3 = "{characters}"
It creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path}\{malware name}.exe = "{malware path}\{malware name}.exe:*:Enabled:Windows Explorer"
Dropping Routine
This backdoor drops the following files:
- %User Profile%\Application Data\b0b2d761a
- %User Profile%\Application Data\B0B2D7A3a
- %User Profile%\Application Data\{random}
- %User Profile%\Application Data\{random1}
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
Other Details
This backdoor connects to the following possibly malicious URL:
- http://{random}.com/login.php