PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

OTLARD variants, also known as GOOTKIT, are used primarily to compromise websites with malicious iframe code.

OTLARD performs the aforementioned routine by downloading command modules that contain the target website and its corresponding FTP credentials. The credentials are then used to infiltrate the website.

The OTLARD malware family is also known to drop rootkit components in order to hide its malicious components.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Connects to URLs/IPs, Compromises system security, Downloads files

Other System Modifications

This Trojan adds the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random}

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM
Randseed_1 = "{hex values}"

HKEY_LOCAL_MACHINE\SYSTEM
Randseed_2 = "{hex values}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and filename} = "{malware path and filename}:Enabled:{malware filename}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random}
ImagePath = "\SystemRoot\System32\drivers\{random}.sys"

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Epoch
Epoch = "84"

(Note: The default value data of the said registry entry is 82.)

Dropping Routine

This Trojan drops the following files:

  • %System32\drivers\{random}.sys

Other Details

This Trojan connects to the following possibly malicious URL:

  • {BLOCKED}.{BLOCKED}.229.140
  • {BLOCKED}n.cc
  • {BLOCKED}0.org
  • {BLOCKED}8quoob8moh.com
  • {BLOCKED}us4nohshiy.com
  • {BLOCKED}eshacei2ae.com