Analysis by: Karl Dominguez
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This backdoor may be manually installed by a remote user. It is able to receive commands from said remote user.

When executed, it gathers information and downloads files. It also drops the malware BKDR_REDSIP.C onto affected systems, causing the routines of that backdoor to be exhibited.

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: Varies
File Type: PE
Memory Resident: Yes
Initial Samples Received Date: 06 Jan 2011
Payload: Downloads files, Steals information

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

NOTES:
It may be manuallly installed by a remote malicious user. This backdoor report covers the behavior of both the .EXE dropper and the dropped .DLL files. The .EXE file drops the following files:

  • %System%\Connect.dll - also detected as BKDR_REDSIP.B
  • %System%\Startup.dll - detected as BKDR_REDSIP.C

It creates the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\RAT

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptHost

It creates the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\RAT
connect1 = {BLOCKED}chef.com
connect2 =
port = 25
install = %System%

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptHost
Type = 10
Start = 2
ErrorControl = 1
ImagePath = %System Root%\System32\svchost.exe -k CryptHost
ObjectName = LocalSystem

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
CryptHost\Parameters
ServiceDll = %System%\Startup.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\SvcHost
CryptHost = CryptHost

Upon completing the above-mentioned routines, this .EXE file starts the service CryptHost then proceeds to delete itself.

The following are the behavior of the .DLL also detected as BKDR_REDSIP.B:

It creates the following mutex:

...........

This .DLL reads data from the registry key HKEY_LOCAL_MACHINE\SOFTWARE\RAT, which contains the following information as mentioned above:

  • Command and control (C&C) servers
  • Port where this backdoor listens
  • Install folder

It gathers the following information and saves it in the file, {folder where malware is installed}\HostID.DAT:

  • Computer name
  • User name
  • Operating system
  • Drive information
  • Processor information

It downloads additional files with the following file names from its C&C server:

  • PluginKeyboard.dll
  • PluginProcess.dll
  • PluginService.dll
  • PluginRegedit.dll
  • PluginCmd.dll
  • PluginScreen.dll
  • PluginFile.dll

It can also receive the following commands from its C&C server:

  • CMD_KEYBOARD
  • CMD_VIDEO
  • PLUGIN_INSTALL
  • PROCESS_ENUM
  • SERVICE_ENUM
  • CMD_REGEDIT
  • SHELL_CMD
  • CMD_UNINSTALL_HOST
  • CMD_CLOSE_HOST
  • CMD_Screen_Managers
  • CMD_RESET_HOST
  • CMD_File_Managers
  • CMD_File_FIND
  • CMD_SET_REM

  SOLUTION

Minimum Scan Engine: 8.900
FIRST VSAPI PATTERN FILE: 7.750.05
FIRST VSAPI PATTERN DATE: 06 Jan 2011
VSAPI OPR PATTERN File: 7.751.00
VSAPI OPR PATTERN Date: 11 Feb 2011

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove malware files dropped/downloaded by BKDR_REDSIP.B

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE
    • RAT
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • CryptHost

Step 5

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
    • CryptHost = CryptHost

Step 6

Search and delete this file

[ Learn More ]
There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files and folders in the search result.
  • {folder where malware is installed}\HostID.DAT

Step 7

Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_REDSIP.B. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.