BKDR_TOFSEE.YFY

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

It deletes itself after execution.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops and executes the following files:

• %User Temp%\{random number}.bat ← used to delete itself; deleted after execution
• %User Profile%\{random filename}.exe ← detected as Mal_BigTof

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It adds the following processes:

• svchost.exe

It injects codes into the following process(es):

• created svchost.exe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
MSConfig = "%User Profile%\{random filename}.exe"

Other System Modifications

This backdoor adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
DeviceControl
DevData0 = "{hex values}" ← used to save its config data

HKEY_CURRENT_USER\Software\Microsoft\
DeviceControl
DevData1 = "{hex values}" ← used to save its config data

HKEY_CURRENT_USER\Software\Microsoft\
DeviceControl
DevData2 = "{hex values}" ← used to save its config data

HKEY_CURRENT_USER\Software\WinRAR
HWID = "{hex values}"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• download spam template (urls, name, subject)
• send spam mails to the following mail servers:
  • mail.ru
  • google.com
  • yahoo.com
  • hotmail.com
  • aol.com
  • protection.outlook.com
• download and execute either of the following plugins:
  • plg_antibot
  • plg_ddos
  • plg_locs
  • plg_miner
  • plg_protect
  • plg_proxy
  • plg_smtp
  • plg_sniff
  • plg_spread1
  • plg_spread2
  • plg_sys
  • plg_text
  • plg_webb
  • plg_webm
• gathered and used email credentials from the following browsers, FTPs and email clients in sending messages

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}bgddtyh.biz
• {BLOCKED}hbyrukl.ch
• {BLOCKED}.{BLOCKED}.193.238
• {BLOCKED}.{BLOCKED}.146.217.143
• {BLOCKED}.{BLOCKED}.113.149
• {BLOCKED}.{BLOCKED}.132.183
• {BLOCKED}.{BLOCKED}0.208
• {BLOCKED}.{BLOCKED}.107.90
• {BLOCKED}.{BLOCKED}.82.36
• {BLOCKED}.{BLOCKED}.7.42
• {BLOCKED}.{BLOCKED}.101.121

Information Theft

This backdoor attempts to steal stored account information used in the following installed File Transfer Protocol (FTP) clients or file manager software:

• 32BitFtp
• 3D-FTP
• AceBIT
• BitKinex
• BlazeFtp
• Bullet Proof FTP
• CoffeeCup
• Cryer WebSitePublisher
• Cyberduck
• Far Manager\Far2\Far
• FastTrack
• FileZilla Client
• FlashFXP 3
• FlashFXP 4
• FlashPeak BlazeFtp
• FreshFTP
• Frigate3
• FTP Commander
• FTP CONTROL
• FTP Explorer
• FTP Navigator
• FTP Now
• FTP++
• FTPClient
• FTPCON
• FTPGetter
• FTPInfo
• FTPRush
• FTPVoyager
• FTPWare COREFTP
• Ghisler Total Commander
• Ghisler Windows Commander
• Global Downloader
• GlobalSCAPE CuteFTP
• GlobalSCAPE CuteFTP 6 Home
• GlobalSCAPE CuteFTP 6 Professional
• GlobalSCAPE CuteFTP 7 Home
• GlobalSCAPE CuteFTP 7 Professional
• GlobalSCAPE CuteFTP 8 Home
• GlobalSCAPE CuteFTP 8 Professional
• GlobalSCAPE CuteFTP Lite
• GlobalSCAPE CuteFTP Pro
• GoFTP
• GPSoftware Directory Opus
• INSoftware NovaFTP
• Ipswitch WS_FTP
• LeapWare LeapFTP
• LeechFTP
• LinasFTP
• Martin Prikryl WinSCP
• MAS-Soft FTPInfo
• My FTP
• NCH Software ClassicFTP
• NCH Software Fling
• NetDrive
• NetSarang
• NexusFile
• Nico Mak Computing WinZip FTP
• Notepad++\NppFTP
• RhinoSoft
• Robo-FTP 3.7
• SimonTatham PuTTY
• SiteDesigner
• SmartFTP
• SoftX
• Sota FFFTP
• Staff-FTP
• TurboFTP
• UltraFXP
• VanDyke SecureFX
• Visicom Media
• WebDrive
• WinFTP

It attempts to steal stored email credentials from the following:

• RimArts
• Microsoft Outlook
• Pocomail
• IncrediMail
• The Bat! by RITLabs.
• Windows Live Mail
• Windows Mail

It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:

• Bromium
• ChromePlus
• Chromium
• Comodo
• Epic
• FastStone Browser
• Google Chrome
• K-Meleon
• Microsoft Internet Explorer
• Mozilla Firefox
• Mozilla SeaMonkey
• Mozilla Thunderbird
• Nicrome
• Opera Software
• RockMelt
• Yandex

Other Details

This backdoor connects to the following URL(s) to check for an Internet connection:

• microsoft.com
• yahoo.com
• google.com
• mail.ru

It deletes itself after execution.

NOTES:

It does not have rootkit capabilities.

It does not exploit any vulnerability.