POISONIVY
Poison, Inject, Darkmoon, Beasty, Injector
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
POISONIVY, also known as POISON, is a popular Remote Administration Tool (RAT) backdoor available in the underground market. It has been in circulation for years. In more recent times, this family of backdoors have been seen in targeted attacks.
Similar to ZEUS and SPYEYE, POISONIVY has a toolkit/builder which can be purchased or downloaded from the underground forums selling such tools. The builder can be customized to cater to the needs of its buyers. Its variants can be configured to the any or all of the following:
- Capture screen, audio, and webcam
- List active ports
- Log keystrokes
- Manage open windows
- Manage passwords
- Manage registry, processes, services, devices, and installed applications
- Perform multiple simultaneous transfers
- Perform remote shell
- Relay server
- Search files
- Share servers
- Update, restart, terminates itself
Most POISONIVY malware are capable of copying itself into Alternate Data Stream, avoiding detection.
TECHNICAL DETAILS
Installation
This backdoor drops the following files:
- %System Root%\asf
- %Application Data%\2019\BG.bat.lnk
- %Application Data%\2019\Pr0c3xp.lnk
- %Application Data%\2019\Tcpview.lnk
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)
It drops the following copies of itself into the affected system:
- %Application Data%\2019\svchost .exe
- %User Profile%\Local Settings\FastUserSwitchingCompatibility.exe
- %System%\2019\svchost .exe
- %User Startup%\wuauclt.exe
- {malware path}\{malware name}.exe
- %System%:netmansykey.exe - Alternate Data Stream (ADS) copy
- %System%:sysfilevpn.exe - Alternate Data Stream (ADS) copy
- %System%:GoogleLive.exe - Alternate Data Stream (ADS) copy
- %System%:systemPErro.exe - Alternate Data Stream (ADS) copy
- %System%:mcarmy.exe - Alternate Data Stream (ADS) copy
- %System%:msfullcomen.exe - Alternate Data Stream (ADS) copy
- %System%:msjbvpncon.exe - Alternate Data Stream (ADS) copy
- %System%:mskeypro.exe - Alternate Data Stream (ADS) copy
- %System%:mssendfull.exe - Alternate Data Stream (ADS) copy
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)
It creates the following folders:
- %System Root%\dfed
- %Application Data%\2019
- %System%\2019
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
adobe = "{malware path}\{malware name}.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Google LiveUpdates = "%System%:GoogleLive.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
FastUserSwitchingCompatibility = "%User Profile%\Local Settings\FastUserSwitchingCompatibility.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{6E9647F9-B5DB-BD95-B627-79E92947CF09}
StubPath = "%System%:netmansykey.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{0082ABF9-9309-614B-C2DD-C00CC33A8073}
StubPath = "%System%:mssendfull.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{9E41174A-B99F-F49D-5CD0-0EF87DF3A162}
StubPath = "%System%:msjbvpncon.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{2580E7A2-880C-351F-B4DC-8320A4AB551C}
StubPath = "%System%:mskeypro.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{343F94C0-7BF8-95A0-9892-DE5C539F2AF8}
StubPath = "%System%:msfullcomen.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{180DA249-E241-D1EA-A5D6-E400EFEC204F}
StubPath = "%System%:mcarmy.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{014B0426-0DD3-D064-ED11-840B72A6498C
StubPath = "%System%:sysfilevpn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{107D84CE-A965-12B5-A884-16BB63414DF0}
StubPath = "%System%:systemPErro.exe"
Other System Modifications
This backdoor adds the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications
HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications
HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\
Recent File List
HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\
Settings
HKEY_CURRENT_USER\Software\ations
HKEY_CURRENT_USER\Software\ations\
Recent File List
HKEY_CURRENT_USER\Software\ations\
Settings
It modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Shell Folders
Startup = "%System%\2019"
(Note: The default value data of the said registry entry is %User Startup%.)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
User Shell Folders
Startup = "%System%\2019"
(Note: The default value data of the said registry entry is %User Startup%.)
Other Details
This backdoor connects to the following possibly malicious URL:
- abianshabi.{BLOCKED}s.com
- army.{BLOCKED}z.com
- cs.{BLOCKED}k.com
- endless.{BLOCKED}o.org
- fbi.{BLOCKED}s.com
- jp.{BLOCKED}n.com
- owl.{BLOCKED}n.com
- pansenes.{BLOCKED}2.org
- send.{BLOCKED}00.com
- teadaye.{BLOCKED}s.net
- tibet.{BLOCKED}s.com
- tw.{BLOCKED}arleft.com