PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Canal de infección Downloaded from the Internet

HELOAG is a family of backdoors. Spotted in 2010, HELOAG comes as a downloaded file from two specific sites.

HELOAG connects to a server and performs commands issued from the server. It connects to different IP addresses, depending on what the IP address the server feeds HELOAG.

  TECHNICAL DETAILS

Residente en memoria Yes
Carga útil Connects to URLs/IPs

Installation

This backdoor drops the following copies of itself into the affected system:

  • %Windows%\ThunderUpdate.exe
  • %Windows%\csrse.exe
  • %Windows%\conme.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Autostart Technique

This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_SSDT_TOOL\
0000
Service = "SSDT_TOOL"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SSDT_TOOL
ImagePath = "\??\{malware path}\SSDT_TOOL.sys"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SSDT_TOOL
DisplayName = "SSDT_TOOL"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SSDT_TOOL\Security
Security = "{hex values}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SSDT_TOOL\Enum
0 = "Root\LEGACY_SSDT_TOOL\0000"

It modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe %Windows%\ThunderUpdate.exe"

(Note: The default value data of the said registry entry is Explorer.exe.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe %Windows%\csrse.exe"

(Note: The default value data of the said registry entry is Explorer.exe.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe %Windows%\conme.exe asds"

(Note: The default value data of the said registry entry is Explorer.exe.)

Other System Modifications

This backdoor adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\SuperHidden
UncheckedValue = "0"

(Note: The default value data of the said registry entry is 1.)

Other Details

This backdoor connects to the following possibly malicious URL:

  • cnc{BLOCKED}e.ln.cn
  • {BLOCKED}.{BLOCKED}.130.247
  • http://www.{BLOCKED}m.com/reques0.asp?kind=020&mac={data}&key={random}

Relacionado entradas de blog