GHOSTRAT


 ALIASES:

Farfli, Palevo, Redosdru, KeyLogger, Swisyn

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware

GHOSTRAT is a family of backdoors, or more accurately, remote administration tools (RATs), used to gain control of the computer it infects. It is affiliated with GhostNet bot network.

It steals information by logging keystrokes. The information it steals are usually system-related information such as operating system version and processor speed. All data are then communicated back to C&C servers operated by GhostNet.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Connects to URLs/IPs, Steals information

Installation

This backdoor drops the following file(s)/component(s):

  • %System%\ctfmon1.exe
  • %System%\360SP2.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following copies of itself into the affected system:

  • %System Root%\Documents and Settings\All Users\Start Menu\Programs\Startup\Ball.exe
  • %Windows%\Ball.exe
  • %Windows%\Temp\zk.exe
  • %Windows%\XXXXXXD0F7D4A7\svchsot.exe
  • %Windows%\Ball.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It creates the following folders:

  • %Windows%\XXXXXXD0F7D4A7

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Ball = "%Windows%\Ball.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
XXXXXXD0F7D4A7 = "%Windows%\XXXXXXD0F7D4A7\svchsot.exe"

Other System Modifications

This backdoor adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\InfoTime
InfoTime = "{malware executed - yyyymmmdd}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Ball
Group = "{characters}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_MICROSOFT_MADMIN
NextInstance = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_MICROSOFT_MADMIN\
0000
Service = "Microsoft Madmin"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin
ImagePath = "%System%\svchost.exe -k netsvcs"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin
DisplayName = "Microsoft Device Manager"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin\Parameters
ServiceDll = "%System%\360SP2.dll"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin\Security
Security = "{hex values}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin\Enum
0 = "Root\LEGACY_MICROSOFT_MADMIN\0000"

It adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\InfoTime

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Ball

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_MICROSOFT_MADMIN

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_MICROSOFT_MADMIN\
0000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin\Parameters

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin\Security

Other Details

This backdoor connects to the following possibly malicious URL:

  • wxhdxx.{BLOCKED}2.org
  • jinfo106.{BLOCKED}1.org
  • jinfo106.{BLOCKED}ood.com
  • jinfo106.{BLOCKED}k.com
  • baobao52100.{BLOCKED}2.org
  • {BLOCKED}.{BLOCKED}.161.101:100