BKDR_CRIDEX.RY

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It executes commands from a remote malicious user, effectively compromising the affected system.

It deletes the initially executed copy of itself.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system and executes them:

• %User Profile%\Application Data\KB{random number}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It creates the following folders:

• %User Profile%\Application Data\{random folder name}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Local\XME{8 random characters}
• Local\XMI{8 random characters}
• Local\XMM{8 random characters}
• Local\XMS{8 random characters}
• Local\XMF{8 random characters}
• Local\XMR{8 random characters}
• Local\XMQ{8 random characters}
• Local\XMB{8 random characters}

It injects codes into the following process(es):

• explorer.exe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
KB{random number}.exe = "%User Profile%\Application Data\KB{random number}.exe"

Other System Modifications

This backdoor adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\{random value 1}

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\{random value 2}

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"

Propagation

This backdoor does not have any propagation routine.

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Monitor browser cookies
• Download and execute arbitrary files
• Upload stolen information
• Download configuration files

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://{BLOCKED}.{BLOCKED}.100.108:8080/jsbqmCA/hCpyb/Cnw/ED/
• http://{BLOCKED}.{BLOCKED}.150.72:8080/jsbqmCA/hCpyb/Cnw/ED/
• http://{BLOCKED}.{BLOCKED}.5.140:8080/jsbqmCA/hCpyb/Cnw/ED/
• http://{BLOCKED}.{BLOCKED}.17.180:8080/jsbqmCA/hCpyb/Cnw/ED/
• http://{BLOCKED}.{BLOCKED}.172.202:8080/jsbqmCA/hCpyb/Cnw/ED/
• http://{BLOCKED}.{BLOCKED}.187.72:8080/jsbqmCA/hCpyb/Cnw/ED/
• http://{BLOCKED}.{BLOCKED}.102.95:8080/jsbqmCA/hCpyb/Cnw/ED/
• http://{BLOCKED}.{BLOCKED}.61.59:8080/jsbqmCA/hCpyb/Cnw/ED/
• http://{BLOCKED}.{BLOCKED}.237.9:8080/jsbqmCA/hCpyb/Cnw/ED/
• http://{BLOCKED}.{BLOCKED}.189.180:8080/jsbqmCA/hCpyb/Cnw/ED/
• http://{BLOCKED}.{BLOCKED}.89.82:8080/jsbqmCA/hCpyb/Cnw/ED/
• http://{BLOCKED}.{BLOCKED}.221.6:8080/jsbqmCA/hCpyb/Cnw/ED/
• http://{BLOCKED}.{BLOCKED}.238.18:8080/jsbqmCA/hCpyb/Cnw/ED/
• http://{BLOCKED}.{BLOCKED}.216.70:8080/jsbqmCA/hCpyb/Cnw/ED/
• http://{BLOCKED}.{BLOCKED}.57.208:8080/jsbqmCA/hCpyb/Cnw/ED/
• http://{BLOCKED}.{BLOCKED}.221.186:8080/jsbqmCA/hCpyb/Cnw/ED/

Information Theft

This backdoor monitors the Internet Explorer (IE) activities of the affected system, specifically the address bar. It recreates a legitimate website with a spoofed login page if a user visits banking sites with the following strings in the address bar and/or title bar:

• \.com/k1/
• /ach/
• /authentication/zbf/k/
• /bb/logon/
• chase\.com
• /cashman/
• /cashplus/
• /clkccm/
• /cmmain\.cfm
• /cmserver/
• /cmwire
• achredirect\.aspx
• cbonline
• /ebc_ebc1961/
• /ibs\.
• /ibws/
• /icm/
• /icm2/
• /inets/
• /livewire/
• /loginolb/loginolb
• /netbnx/
• /olbb/
• /phcp
• /sbuser/
• /smallbiz/
• /wcmpw/
• /webcm/
• /wire/
• /wires/
• 2checkout\.com
• ablv\.com
• access\.jpmorgan\.com
• access\.usbank\.com
• accessbankplc\.com
• accountoverview\.aspx
• accurint\.com
• achieveaccess\.citizensbank\.com
• achpayment
• achweb\.unionbank\.com
• achworks\.com
• alltimetreasury\.pacificcapitalbank\.com
• alphabank\.com
• amegybank\.com/
• anb\.portalvault\.com
• atbonlinebusiness\.com
• auth\.umb\.com
• authmaster\.nationalcity\.com
• baltikums\.com
• baltikums\.eu
• banesco\.com\.pa
• bankbyweb
• bankfirst\.com
• banking\.calbanktrust\.com
• banking\.firsttennessee\.biz
• accurint\.com
• plainscapital\.gfxwebwire\.com
• sterlingpayment\.com
• rbsm\.com
• business\.swedbank\.lv
• secure\.accesshorizon\.com
• myonline\.bankbv\.com
• cencorpcu\.com/
• banknet\.lv
• bankofbermuda\.com
• bankofcyprus\.com
• bankonline\.sboff\.com
• bankonline\.umpquabank\.com
• bbo\.1stsource\.com
• bib\.lv
• billauth
• billmenu
• bizcurrency\.com
• blilk
• bmo\.com/
• bmoharrisprivatebankingonline\.com
• bmomutualfunds\.com
• bnycash\.bankofny\.com
• bob\-w\.
• bob\.sovereignbank\.com
• bolb\-east\.associatedbank\.com
• bolb\-west\.associatedbank\.com
• bolb\.
• boveda\.banamex\.com\.mx
• bscincky\.com
• business\.macu\.com
• business\.netbankerplus\.com
• business_solutions
• businessaccess\.citibank\.citigroup\.com
• businessappshome
• businessbanking\.cibc\.com
• businessclassonline\.compassbank\.com
• businesslogin
• businessmanager\.com
• businessonline
• businessportal\.mibank\.com
• butterfieldonline\.ky
• bxs\.com
• cashanalyzer\.com
• cashmanager\.mizuhoe\-treasurer\.com
• cashmgmt
• cashmgt
• cashproonline\.bankofamerica\.com
• bankofamerica\.com
• cashproweb\.com/cpwportal
• cbbusinessonline\.com
• cencorpcu\.com
• cfgbusinessaccess\.com
• checkgateway
• checkout\.com/va/login
• cib\.bankofthewest
• cibconline\.cibc\.com
• cimbanque\.net
• citizensbankmoneymanagergps\.com
• cmachm\.w
• cmbmnt\.w
• cmol\.bbt\.com/auth
• cmwirp\.w
• cnbsec1\.
• colb\.
• comerica\.com
• commercebusinessdirect\.com
• commercial\.wachovia\.com
• commercialservices
• connect\.bankcolonial\.com
• connect\.colonialbank\.com
• constitutioncorp\.org
• corpach
• corporate\.epfc\.com
• corporateaccounts
• corporatebankingweb
• corporateconnect\.net
• corpower\.coop
• createcorpwire
• createwire
• cu\.com
• cu\.org
• danskebanka\.lv
• db\-direct\.db\.com
• directline4biz\.com
• directnet\.com
• e\-moneyger
• e\-norvik\.lv
• easywebcpo\.td\.com/waw/idp
• ebanking\-services
• ebemo\.bemobank\.com
• ebill\.highmark\.com
• ecash\.
• ecm\-transfers\.unionbank\.com
• ecms\.unionbank\.com
• efirstbank\.com
• ekp\.lv
• enternetbank\.com
• enterprise2\.openbank\.com
• epd\.uscentral\.org
• eurobankefg\.com
• exact4web
• exness\.com
• express\.53\.com
• expressdeposit\.colonialbank\.com
• fbmedirect\.com
• ffinonline\.com
• ffrontier\.com
• fir

Other Details

This backdoor deletes the initially executed copy of itself

NOTES:

It monitors the following browsers:

• chrome.exe
• firefox.exe

It does not have rootkit capabilities.

It does not exploit any vulnerability.