BKDR_SYKIPOT
Wkysol, Sykipot_gen
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
First SYKIPOT variants were spotted in 2007. These backdoors are usually dropped by other malware exploiting vulnerabilities.
SYKIPOT backdoors steal the following information, which it sends to its C&C server:
- Active network connections
- Adapter information
- System information (OS, processor, bios version, time zone, memory, etc)
SYKIPOT is being implicated in targeted attacks. Its variants mask connections to its supposed C&C servers. The C&C servers are usually hacked web servers where proxies are placed.
TECHNICAL DETAILS
Installation
This backdoor drops the following files:
- %User Profile%\Local Settings\gtpretty.tmp
- %User Profile%\Local Settings\gdtpretty.tmp
- %User Profile%\Local Settings\ptpretty.tmp
- %User Profile%\Local Settings\pdtpretty.tmp
- %User Profile%\Local Setiings\gthelp.tmp
- %User Profile%\Local Setiings\gdthelp.tmp
- %User Profile%\Local Setiings\pthelp.tmp
- %User Profile%\Local Setiings\pdthelp.tmp
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
It drops the following file(s)/component(s):
- %User Profile%\Local Settings\WSE4EF1.TMP
- %User Profile%\Local Settings\mshelp.tmp
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
It drops the following copies of itself into the affected system:
- %User Profile%\Local Settings\pretty.exe
- %User Profile%\Local Settings\help.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
office = "%User Profile%\Local Settings\pretty.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
start = "%User Profile%\Local Settings\help.exe"
Other Details
This backdoor connects to the following possibly malicious URL:
- https://www.{BLOCKED}her.com/asp/kys_allow_get.asp?name=getkys.kys&hostname={computer name}-{ip address}-pretty20111122
- https://help.{BLOCKED}advocator.com/asp/kys_allow_get.asp?name=getkys.kys&hostname={computer name-{ip address}-help20110908
NOTES: