BKDR_CARETO.A

One of the Windows malware related to the Careto attack known for encoding its configuration data and encrypting its network traffic thus making analysis difficult.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It steals system information.

It deletes itself after execution.

Arrival Details

This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following file(s)/component(s):

• %System%\awcodc32.dll - detected as BKDR_CARETO.A
• %System%\awdcxc32.dll - detected as BKDR_CARETO.A
• %System%\drivers\scsimap.sys - detected as BKDR_CARETO.A
• %System%\jpeg1x32.dll - detected as BKDR_CARETO.A
• %System%\mfcn30.dll - detected as BKDR_CARETO.A
• %System%\vchw9x.dll - detected as BKDR_CARETO.A
• %User Temp%\___{random number}.tmp - detected as BKDR_CARETO.A

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It drops the following non-malicious file:

• %System%\bootfont.bin

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• 36A900E5-0AE5-4ca6-84B4-45A05B42E705}_262144_124160

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\CurrentControlSet\Services\
scsimap
ImagePath = "%System%\DRIVERS\scsimap.sys"

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\CurrentControlSet\Services\
scsimap

Backdoor Routine

This backdoor posts the following information to its command and control (C&C) server:

• http://www.{BLOCKED}nt.com/server/ssl.htm
• https://{BLOCKED}t.{BLOCKED}et.nu/cgi-bin/index.cgi
• https://{BLOCKED}.{BLOCKED}.233.15/cgi-bin/index.cgi

As of this writing, the said servers are currently inaccessible.

Information Theft

This backdoor steals system information.

Other Details

This backdoor deletes itself after execution.

NOTES:

This backdoor has the following malicious components:

• %System%\awcodc32.dll
• %System%\awdcxc32.dll
• %System%\drivers\scsimap.sys
• %System%\jpeg1x32.dll
• %System%\mfcn30.dll
• %System%\vchw9x.dll
• %User Temp%\___{random number}.tmp

The file awdcxc32.dll communicates with the modified scsimap.sys and loaded by vchw9x.dll.

The file scsimap.sys loads the malware components.

The file jpeg1x32.dll uninstalls the malware.

The file mfcn30.dll contains information where the malware can download an updated copy of itself.

The files awcodc32.dll and vchw9x.dll are used to communicate to the C&C server.

The file ___{random number}.tmp deletes the dropper that executes it.

It uses pipe \\.\pipe\{807BF02B-3F5F-4570-970A-8AADBAA55AC1}.

It uses "Caguen1aMar" as encryption key for communications with the C&C server.

It uses the following URL query parameters:

• Data
• Exec
• Ack
• Cmd
• Raw
• Id
• Inst