CYCBOT
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
CYCBOT is a family of backdoors that emerged in early 2011. These backdoors are known to arrive on a system as a file dropped by other malware or unknowingly downloaded by the user when visiting malicious sites.
These backdoors are known primarily as a for-profit malware, hijacking various search engine results and redirecting users to malicious websites that display ads and host other malware. It also connects to remote servers to listen and perform commands sent by malicious users. Moreover, these backdoors are able to terminate security-related processes that they detect as running on the system, as well as download FAKEAV variants.
CYCBOT malware are distributed via malicious pay-per-install schemes. Cybercriminals download malware from PPI websites and set up servers which serve exploit kits. These exploit kits then download the CYCBOT binary. In July 2011, an affiliate network called Ready to Ride is seen distributing CYCBOT.
TECHNICAL DETAILS
Installation
This Trojan drops the following files:
- %Application Data%\{random}.{random}
- %User Profile%\Application Data\Microsoft\stor.cfg
- %User Profile%\Application Data\{random}.{random}
- %User Profile%\Application Data\{random}\{random}.{random}
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)
It drops the following copies of itself into the affected system:
- %Application Data%\Microsoft\conhost.exe
- %Application Data%\dwm.exe
- %Program Files%\LP\{random}\{random}.exe
- %Program Files%\{random}\lvvm.exe
- %User Profile%\Application Data\Microsoft\Windows\shell.exe
- %User Profile%\Application Data\Microsoft\conhost.exe
- %User Profile%\Application Data\Microsoft\svchost.exe
- %User Profile%\Application Data\{random}\{random}.exe
- %User Temp%\csrss.exe
- %User Temp%\dwm.exe
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %Program Files% is the default Program Files folder, usually C:\Program Files.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
It creates the following folders:
- %Program Files%\LP
- %Program Files%\LP\{random}
- %Program Files%\{random}
- %User Profile%\Application Data\{random}
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
conhost = "%Application Data%\Microsoft\conhost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random}.exe = "%Program Files%\LP\{random}\{random}.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
svchost = "%User Profile%\Application Data\Microsoft\svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
conhost = "%User Profile%\Application Data\Microsoft\conhost.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "explorer.exe, %Application Data%\dwm.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "explorer.exe,%User Profile%\Application Data\{random}\{random}.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "explorer.exe,%User Profile%\Application Data\Microsoft\Windows\shell.exe"
It modifies the following registry entry(ies) to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
load = "%User Temp%\csrss.exe"
(Note: The default value data of the said registry entry is {blank}.)
Other System Modifications
This Trojan adds the following registry entries:
HKEY_CURRENT_USER\Software\MIcrosoft\
Windows\CurrentVersion\Internet Settings
ProxyServer = "http=127.0.0.1:{random}"
It modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
ProxyEnable = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Hardware Profiles\Current\Software\
Microsoft\windows\CurrentVersion\
Internet Settings
ProxyEnable = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_CURRENT_CONFIG\Software\Microsoft\
windows\CurrentVersion\Internet Settings
ProxyEnable = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender
DisableAntiSpyware = "1"
(Note: The default value data of the said registry entry is 0.)
It deletes the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Download Routine
This Trojan connects to the following website(s) to download and execute a malicious file:
- {BLOCKED}youstudios.com
- {BLOCKED}khypnocrys.com
Other Details
This Trojan connects to the following possibly malicious URL:
- {BLOCKED}yourimage.com
- {BLOCKED}domaintolevel.com
- {BLOCKED}khypnocrys.com
- {BLOCKED}torepro.com
- {BLOCKED}orepro.com
- {BLOCKED}-sys.com
- {BLOCKED}bigtit.com
- {BLOCKED}iser.com
- {BLOCKED}astore.com
- {BLOCKED}orageforyou.com
- http://{BLOCKED}6.com/LB5000/CGI-BIN/s.cgi
- http://{BLOCKED}6.com/LB5000/CGI-BIN/topic.cgi
- http://{BLOCKED}6.com/lb5000/non-cgi/images/leoca.gif
- http://{BLOCKED}.{BLOCKED}l.qudeteyuj.cn/gbot/ss.cgi
- http://{BLOCKED}.{BLOCKED}l.qudeteyuj.cn/gbot/ss.cgi
- http://{BLOCKED} edating.com/images/attend_for_free/attend{number}.jpg
- http://{BLOCKED}edating.com/successStories.cgi
- http://{BLOCKED}cationalsoftware.com/credi cardlogos.gif
- http://{BLOCKED}cationalsoftware.com/creditcard.png
- http://{BLOCKED}cationalsoftware.com/creditcard2.png
- http://{BLOCKED}cationalsoftware.com/creditcardlogos.gif
- http://{BLOCKED}btech.com/images/133.jpg
- http://{BLOCKED}btech.com/images/134.jpg
- http://{BLOCKED}emonitoring.com/images/im133.jpg
- http://{BLOCKED}emonitoring.com/images/im13{number}.jpg
- http://{BLOCKED}sstore.com/images/im133.jpg
- http://{BLOCKED}sstore.com/images/im13{number}.jpg
- http://{BLOCKED}derwomen.com/images/im133.jpg
- http://{BLOCKED}mtonschools.org/images/297893.jpg
- http://{BLOCKED}mtonschools.org/images/297894.jpg
- http://{BLOCKED}mtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg
- http://{BLOCKED}rartists.org/external/Banners/facebook.jpg
- http://{BLOCKED}rartists.org/external/Banners/facebook2.jpg
- http://{BLOCKED}linecatalog.com
- http://{BLOCKED}gsourcecodes.com
- http://{BLOCKED}n.{BLOCKED}ofdeception.com/logo.png
- http://{BLOCKED}n.{BLOCKED}ofdeception.com/wp-content/uploads/2011/06/frame6.png
- http://{BLOCKED}n.{BLOCKED}ofdeception.com/wp-content/uploads/2011/06/frame7.png
- http://{BLOCKED}upport.com/images/livechat.png
- http://{BLOCKED}upport.com/images/logo.png
- http://{BLOCKED}ianchat.net/images/christian12.jpg
- http://{BLOCKED}ianchat.net/images/christian13.jpg
- http://{BLOCKED}ianchat.net/images/christian14.jpg
- http://{BLOCKED}tteonlines.com
- http://{BLOCKED}intsboard.com/complaints/logo.png
- http://{BLOCKED}intsboard.com/complaints/rar.png
- http://{BLOCKED}ntsboard.com/complaints/zip.png
- http://{BLOCKED}eafdesign.com/blog/images/share/facebook.png
- http://{BLOCKED}eafdesign.com/blog/images/share/stumble.png
- http://{BLOCKED}cureonline.com
- http://{BLOCKED}udiodevice.com/images/im13{number}.jpg
- http://{BLOCKED}cscriptinstaller.com/pics/k5.jpg
- http://{BLOCKED}cscriptinstaller.com/pics/l2.jpg
- http://{BLOCKED}hiv.cn/g/p.php
- http://{BLOCKED}hiv.cn/g/t.php
- http://{BLOCKED}hiv.cn/gbot/ss.cgi
- http://{BLOCKED}o.com/wp-content/uploads/2010/09/web-20-what-is-300x251.jpg
- http://{BLOCKED}atnow.com/1.gif
- http://{BLOCKED}atnow.com/2.gif
- http://{BLOCKED}nediconline.com
- http://{BLOCKED}wnload3.com/screenshot/4/s/89_3276.gif
- http://{BLOCKED}wnload3.com/screenshot/4/s/89_3277.gif
- http://{BLOCKED}wnload3.com/screenshot/4/s/89_3278.gif
- http://{BLOCKED}ilantispam.com
- http://{BLOCKED}linedatingtips.net/images/dating1.jpg
- http://{BLOCKED}tentsonline.com/images/pdf.jpg
- http://{BLOCKED}pmusiconline.com
- http://{BLOCKED}oisdb.com
- http://{BLOCKED}ar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbcfe64067be1
- http://{BLOCKED}ar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbcfe64067be2
- http://{BLOCKED}erbalteaonline.com/images/greenherbalteagirlholdingcup250.gif
- http://{BLOCKED}erbalteaonline.com/images/greenherbalteagirlholdingcup350.gif
- http://{BLOCKED}ylifenow.com/templates/7348/images/header_logo.jpg
- http://{BLOCKED}ylifenow.com/templates/7349/images/header_logo.jpg
- http://{BLOCKED}eeddbsearch.com
- http://{BLOCKED}eedinternetlosangeles.webnode.com news/2.php
- http://{BLOCKED}eedinternetlosangeles.webnode.com/news/1.cgi
- http://{BLOCKED}eedinternetlosangeles.webnode.com/news/1.php
- http://{BLOCKED}eedinternetlosangeles.webnode.com/news/2.php
- http://{BLOCKED}ykillerpro.com/img/eslogo.gif
- http://{BLOCKED}dioz.com
- http://{BLOCKED}dandbarrett.com/images/footer/account.gif
- http://{BLOCKED}ndandbarrett.com/images/footer/account.jpg
- http://{BLOCKEDg.{BLOCKED}0.net/716/716354_m60.jpg
- http://{BLOCKED}g.{BLOCKED}0.net/716/716354_m61.jpg
- http://{BLOCKED}g.{BLOCKED}0.net/716/716354_m62.jpg
- http://{BLOCKED}analyst.com/12.jpg
- http://{BLOCKED}analyst.com/png/intel.gif
- http://{BLOCKED}analyst.com/png/intel.jpg
- http://{BLOCKED}segreenteaonline.com/assets/images/greentea-cha-1.gif
- http://{BLOCKED}segreenteaonline.com/assets/images/greentea-cha-2.gif
- http://{BLOCKED}enewworldorder.com/images/pages.jpg
- http://{BLOCKED}enewworldorder.com/images/pages.png
- http://{BLOCKED}wcounter.com/images/im133.jpg
- http://{BLOCKED}wcounter.com/images/im13{number}.jpg
- http://{BLOCKED}tcatalogs.com
- http://{BLOCKED}skopia.com
- http://{BLOCKED}atagent.com/img/footer_intel.gif
- http://{BLOCKED}atagent.com/img/footer_intel.jpg
- http://{BLOCKED}atinc.com/wp-content/images/cpc.jpg
- http://{BLOCKED}atinc.com/wp-content/images/cpc.png
- http://{BLOCKED}opaganda.net/blog/pics/3321.jpg
- http://{BLOCKED}opaganda.net/blog/pics/3322.jpg
- http://{BLOCKED}hoj.cn/gbot/r.php
- http://{BLOCKED}hoj.cn/gbot/sc.cgi
- http://{BLOCKED}hoj.cn/gbot/t.php
- http://{BLOCKED}peranimals.com/images/im133.jpg
- http://{BLOCKED}gamesonlines.com
- http://{BLOCKED}rom.at/polytheism/pictures/TanzenderShiva.jpg
- http://{BLOCKED}boardpoint.com/images/template/h.cgi
- http://{BLOCKED}boardpoint.com/images/template/header.jpg
- http://{BLOCKED}boardstest.com/images/im13{number}.jpg
- http://{BLOCKED}bestfriends.com/images/im133.jpg
- http://{BLOCKED}rchive.com/images/im13{number}.jpg
- http://{BLOCKED}sautoelectric.com/images/50-217-1_F_1_.jpg
- http://{BLOCKED}sautoelectric.com/images/50-217-1_F_2_.jpg
- http://{BLOCKED}ldorderreport.com/favicon.ico
- http://{BLOCKED}ldorderreport.com/img/3421.png
- http://{BLOCKED}ldorderreport.com/img/3422.png
- http://{BLOCKED}eyescat.com
- http://{BLOCKED}backuostore4you.com
- http://{BLOCKED}bizdirectory.com/images/PowerHideBanner.gif
- http://{BLOCKED}bizdirectory.com/images/PowerShowBanner.gif
- http://{BLOCKED}datingsecretfriends.com/images/im133.jpg
- http://{BLOCKED}datingsecretfriends.com/images/im134.jpg
- http://{BLOCKED}institute.com/g7/images/logo.jpg
- http://{BLOCKED}institute.com/g7/images/logo2.jpg
- http://{BLOCKED}institute.com/g7/images/logo3.jpg
- http://{BLOCKED}einstitute.com/g7/images/logo4.jpg
- http://{BLOCKED}genius.com/132.gif
- http://{BLOCKED}genius.com/133.gif
- http://{BLOCKED}genius.com/temp/head.png
- http://{BLOCKED}pro.com/images/logo-1.jpg
- http://{BLOCKED}ro.com/images/logo-2.jpg
- http://{BLOCKED}tyourpc-11.com/cgi-bin/cycle_report.cgi
- http://{BLOCKED}k.com/img/icons/facebook.png
- http://{BLOCKED}k.com/img/icons/twitter.png
- http://{BLOCKED}yuj.cn/gbot/r.php
- http://{BLOCKED}yuj.cn/gbot/sc.cgi
- http://{BLOCKED}yuj.cn/gbot/t.php
- http://{BLOCKED}ftwaredevelopment.com/WindowsLiveWriter/web-2_0_thumb_1.gif
- http://{BLOCKED}ckonline.com
- http://{BLOCKED}aclubonline.com
- http://{BLOCKED}mywebconnection.com/images/im13{number}.jpg
- http://{BLOCKED}tekrck.com
- http://{BLOCKED}temilkandtee.com
- http://{BLOCKED}areconnection.com/im/s.cgi
- http://{BLOCKED}areconnection.com/images/ubar_0.jpg
- http://{BLOCKED}areconnectaion.com/images/ubar_1.jpg
- http://{BLOCKED}piderwomen.com/images/im133.jpg
- http://{BLOCKED}grammingshool.com
- http://{BLOCKED}driversonline.com/images/im133.jpg
- http://{BLOCKED}driversonline.com/images/im13{number}.jpg
- http://{BLOCKED}wos.cn/g/p.php
- http://{BLOCKED}wos.cn/g/t.php
- http://{BLOCKED}wos.cn/gbot/ss.cgi
- http://{BLOCKED}laucoma.org/images/lhous3.gif
- http://{BLOCKED}laucoma.org/images/lhous4.gif
- http://{BLOCKED}ookdatabseonline.com
- http://www.{BLOCKED}etsecure.com/images/ismerch.gif
- http://{BLOCKED}t.com.my/thelab/images/wiley.jpg
- http://{BLOCKED}n.cn/2010/10/10/20101010095345843723.jpg
- http://{BLOCKED}n.cn/2010/10/10/20101010095345843724.jpg
- http://{BLOCKED}ts.com/images/logo.png
- http://{BLOCKED}5.cn/jianfei/dier.jpg
- http://{BLOCKED}5.cn/jianfei/dier2.jpg
- http://{BLOCKED}k.com/images/im13{number}.jpg
- http://{BLOCKED}g.com/images/im133.jpg
- http://{BLOCKED}j.com/images/im133.jpg
- http://{BLOCKED}yuj.cn/gbot/sc.cgi
- http://{BLOCKED}aclubonline.com
- http://{BLOCKED}m.com/images/im13{number}.jpg
- {BLOCKED}youstudios.com
- {BLOCKED}pdahelpforyou.com
- {BLOCKED}reddomas.com
- {BLOCKED}meroster.com
- {BLOCKED}orefor.com
- {BLOCKED}ersakkonline.com
- {BLOCKED}iahosts.com
- {BLOCKED}ts.com
- {BLOCKED}azone.com