PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

SIMDA is a family of backdoors capable of stealing information such as user names, passwords, and certificates. It steals information via its keylogging and HTML injection routines. It also executes backdoor commands, compromising the security of the infected systems. The following are the backdoor commands executed by SIMDA variants:

  • Disable operating system by modifying or deleting system files

  • Activate/deactivate itself

  • Inject scripts to a visited webpage

  • Disable the infected system by deleting critical registry keys

  • Download and execute arbitrary files

  • Download updated configuration file

  • Upload files

  • Run or terminate applications

  • Delete files

  • Modify system settings

  • Steal certificates

Another notable behavior of SIMDA is its ability to terminate itself when executed on a virtual environment. It also terminates antivirus-related processes to avoid detection and removal. In addition, it logs on the infected system as administrator by using a list of passwords.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Compromises system security, Steals information, Terminates processes

Installation

This backdoor drops the following copies of itself into the affected system:

  • %Windows%\AppPatch\{random}.exe
  • %Windows%\AppPatch\{random}.dat

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
b0b2d6e3 = "%Windows%\apppatch\{random}.dat"

It modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe, %Windows%\apppatch\{random}.exe,"

(Note: The default value data of the said registry entry is %System%\userinit.exe,.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe, %Windows%\AppPatch\{random}.dat,"

(Note: The default value data of the said registry entry is %System%\userinit.exe,.)

Other System Modifications

This backdoor adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
b0b2d6e3 = "{characters}"

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path}\{malware name}.exe = "{malware path}\{malware name}.exe:*:Enabled:Windows Explorer"

Dropping Routine

This backdoor drops the following files:

  • %User Profile%\Application Data\b0b2d761a
  • %User Profile%\Application Data\B0B2D7A3a
  • %User Profile%\Application Data\{random}
  • %User Profile%\Application Data\{random1}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Other Details

This backdoor connects to the following possibly malicious URL:

  • http://{random}.com/login.php