Analysis by: Karl Dominguez

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

CYCBOT is a family of backdoors that emerged in early 2011. These backdoors are known to arrive on a system as a file dropped by other malware or unknowingly downloaded by the user when visiting malicious sites.

These backdoors are known primarily as a for-profit malware, hijacking various search engine results and redirecting users to malicious websites that display ads and host other malware. It also connects to remote servers to listen and perform commands sent by malicious users. Moreover, these backdoors are able to terminate security-related processes that they detect as running on the system, as well as download FAKEAV variants.

CYCBOT malware are distributed via malicious pay-per-install schemes. Cybercriminals download malware from PPI websites and set up servers which serve exploit kits. These exploit kits then download the CYCBOT binary. In July 2011, an affiliate network called Ready to Ride is seen distributing CYCBOT.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Connects to URLs/IPs, Downloads files, Terminates processes

Installation

This backdoor drops the following files:

  • %Application Data%\{random}.{random}
  • %User Profile%\Application Data\Microsoft\stor.cfg
  • %User Profile%\Application Data\{random}.{random}
  • %User Profile%\Application Data\{random}\{random}.{random}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It drops the following copies of itself into the affected system:

  • %Application Data%\Microsoft\conhost.exe
  • %Application Data%\dwm.exe
  • %Program Files%\LP\{random}\{random}.exe
  • %Program Files%\{random}\lvvm.exe
  • %User Profile%\Application Data\Microsoft\Windows\shell.exe
  • %User Profile%\Application Data\Microsoft\conhost.exe
  • %User Profile%\Application Data\Microsoft\svchost.exe
  • %User Profile%\Application Data\{random}\{random}.exe
  • %User Temp%\csrss.exe
  • %User Temp%\dwm.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %Program Files% is the default Program Files folder, usually C:\Program Files.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It creates the following folders:

  • %Program Files%\LP
  • %Program Files%\LP\{random}
  • %Program Files%\{random}
  • %User Profile%\Application Data\{random}

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
conhost = "%User Profile%\Application Data\Microsoft\conhost.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "explorer.exe, %Application Data%\dwm.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "explorer.exe,%User Profile%\Application Data\{random}\{random}.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "explorer.exe,%User Profile%\Application Data\Microsoft\Windows\shell.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
conhost = "%Application Data%\Microsoft\conhost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random}.exe = "%Program Files%\LP\{random}\{random}.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
svchost = "%User Profile%\Application Data\Microsoft\svchost.exe"

It modifies the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
load = "%User Temp%\csrss.exe"

(Note: The default value data of the said registry entry is {blank}.)

Other System Modifications

This backdoor adds the following registry entries:

HKEY_CURRENT_USER\Software\MIcrosoft\
Windows\CurrentVersion\Internet Settings
ProxyServer = "http=127.0.0.1:{random}"

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
ProxyEnable = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Hardware Profiles\Current\Software\
Microsoft\windows\CurrentVersion\
Internet Settings
ProxyEnable = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_CONFIG\Software\Microsoft\
windows\CurrentVersion\Internet Settings
ProxyEnable = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender
DisableAntiSpyware = "1"

(Note: The default value data of the said registry entry is 0.)

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc

Download Routine

This backdoor connects to the following website(s) to download and execute a malicious file:

  • {BLOCKED}youstudios.com
  • {BLOCKED}khypnocrys.com

Other Details

This backdoor connects to the following possibly malicious URL:

  • {BLOCKED}yourimage.com
  • {BLOCKED}domaintolevel.com
  • {BLOCKED}khypnocrys.com
  • {BLOCKED}torepro.com
  • {BLOCKED}orepro.com
  • {BLOCKED}-sys.com
  • {BLOCKED}bigtit.com
  • {BLOCKED}iser.com
  • {BLOCKED}astore.com
  • {BLOCKED}orageforyou.com
  • http://{BLOCKED}6.com/LB5000/CGI-BIN/s.cgi
  • http://{BLOCKED}6.com/LB5000/CGI-BIN/topic.cgi
  • http://{BLOCKED}6.com/lb5000/non-cgi/images/leoca.gif
  • http://{BLOCKED}.{BLOCKED}l.qudeteyuj.cn/gbot/ss.cgi
  • http://{BLOCKED}.{BLOCKED}l.qudeteyuj.cn/gbot/ss.cgi
  • http://{BLOCKED} edating.com/images/attend_for_free/attend{number}.jpg
  • http://{BLOCKED}edating.com/successStories.cgi
  • http://{BLOCKED}cationalsoftware.com/credi cardlogos.gif
  • http://{BLOCKED}cationalsoftware.com/creditcard.png
  • http://{BLOCKED}cationalsoftware.com/creditcard2.png
  • http://{BLOCKED}cationalsoftware.com/creditcardlogos.gif
  • http://{BLOCKED}btech.com/images/133.jpg
  • http://{BLOCKED}btech.com/images/134.jpg
  • http://{BLOCKED}emonitoring.com/images/im133.jpg
  • http://{BLOCKED}emonitoring.com/images/im13{number}.jpg
  • http://{BLOCKED}sstore.com/images/im133.jpg
  • http://{BLOCKED}sstore.com/images/im13{number}.jpg
  • http://{BLOCKED}derwomen.com/images/im133.jpg
  • http://{BLOCKED}mtonschools.org/images/297893.jpg
  • http://{BLOCKED}mtonschools.org/images/297894.jpg
  • http://{BLOCKED}mtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg
  • http://{BLOCKED}rartists.org/external/Banners/facebook.jpg
  • http://{BLOCKED}rartists.org/external/Banners/facebook2.jpg
  • http://{BLOCKED}linecatalog.com
  • http://{BLOCKED}gsourcecodes.com
  • http://{BLOCKED}n.{BLOCKED}ofdeception.com/logo.png
  • http://{BLOCKED}n.{BLOCKED}ofdeception.com/wp-content/uploads/2011/06/frame6.png
  • http://{BLOCKED}n.{BLOCKED}ofdeception.com/wp-content/uploads/2011/06/frame7.png
  • http://{BLOCKED}upport.com/images/livechat.png
  • http://{BLOCKED}upport.com/images/logo.png
  • http://{BLOCKED}ianchat.net/images/christian12.jpg
  • http://{BLOCKED}ianchat.net/images/christian13.jpg
  • http://{BLOCKED}ianchat.net/images/christian14.jpg
  • http://{BLOCKED}tteonlines.com
  • http://{BLOCKED}intsboard.com/complaints/logo.png
  • http://{BLOCKED}intsboard.com/complaints/rar.png
  • http://{BLOCKED}ntsboard.com/complaints/zip.png
  • http://{BLOCKED}eafdesign.com/blog/images/share/facebook.png
  • http://{BLOCKED}eafdesign.com/blog/images/share/stumble.png
  • http://{BLOCKED}cureonline.com
  • http://{BLOCKED}udiodevice.com/images/im13{number}.jpg
  • http://{BLOCKED}cscriptinstaller.com/pics/k5.jpg
  • http://{BLOCKED}cscriptinstaller.com/pics/l2.jpg
  • http://{BLOCKED}hiv.cn/g/p.php
  • http://{BLOCKED}hiv.cn/g/t.php
  • http://{BLOCKED}hiv.cn/gbot/ss.cgi
  • http://{BLOCKED}o.com/wp-content/uploads/2010/09/web-20-what-is-300x251.jpg
  • http://{BLOCKED}atnow.com/1.gif
  • http://{BLOCKED}atnow.com/2.gif
  • http://{BLOCKED}nediconline.com
  • http://{BLOCKED}wnload3.com/screenshot/4/s/89_3276.gif
  • http://{BLOCKED}wnload3.com/screenshot/4/s/89_3277.gif
  • http://{BLOCKED}wnload3.com/screenshot/4/s/89_3278.gif
  • http://{BLOCKED}ilantispam.com
  • http://{BLOCKED}linedatingtips.net/images/dating1.jpg
  • http://{BLOCKED}tentsonline.com/images/pdf.jpg
  • http://{BLOCKED}pmusiconline.com
  • http://{BLOCKED}oisdb.com
  • http://{BLOCKED}ar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbcfe64067be1
  • http://{BLOCKED}ar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbcfe64067be2
  • http://{BLOCKED}erbalteaonline.com/images/greenherbalteagirlholdingcup250.gif
  • http://{BLOCKED}erbalteaonline.com/images/greenherbalteagirlholdingcup350.gif
  • http://{BLOCKED}ylifenow.com/templates/7348/images/header_logo.jpg
  • http://{BLOCKED}ylifenow.com/templates/7349/images/header_logo.jpg
  • http://{BLOCKED}eeddbsearch.com
  • http://{BLOCKED}eedinternetlosangeles.webnode.com news/2.php
  • http://{BLOCKED}eedinternetlosangeles.webnode.com/news/1.cgi
  • http://{BLOCKED}eedinternetlosangeles.webnode.com/news/1.php
  • http://{BLOCKED}eedinternetlosangeles.webnode.com/news/2.php
  • http://{BLOCKED}ykillerpro.com/img/eslogo.gif
  • http://{BLOCKED}dioz.com
  • http://{BLOCKED}dandbarrett.com/images/footer/account.gif
  • http://{BLOCKED}ndandbarrett.com/images/footer/account.jpg
  • http://{BLOCKEDg.{BLOCKED}0.net/716/716354_m60.jpg
  • http://{BLOCKED}g.{BLOCKED}0.net/716/716354_m61.jpg
  • http://{BLOCKED}g.{BLOCKED}0.net/716/716354_m62.jpg
  • http://{BLOCKED}analyst.com/12.jpg
  • http://{BLOCKED}analyst.com/png/intel.gif
  • http://{BLOCKED}analyst.com/png/intel.jpg
  • http://{BLOCKED}segreenteaonline.com/assets/images/greentea-cha-1.gif
  • http://{BLOCKED}segreenteaonline.com/assets/images/greentea-cha-2.gif
  • http://{BLOCKED}enewworldorder.com/images/pages.jpg
  • http://{BLOCKED}enewworldorder.com/images/pages.png
  • http://{BLOCKED}wcounter.com/images/im133.jpg
  • http://{BLOCKED}wcounter.com/images/im13{number}.jpg
  • http://{BLOCKED}tcatalogs.com
  • http://{BLOCKED}skopia.com
  • http://{BLOCKED}atagent.com/img/footer_intel.gif
  • http://{BLOCKED}atagent.com/img/footer_intel.jpg
  • http://{BLOCKED}atinc.com/wp-content/images/cpc.jpg
  • http://{BLOCKED}atinc.com/wp-content/images/cpc.png
  • http://{BLOCKED}opaganda.net/blog/pics/3321.jpg
  • http://{BLOCKED}opaganda.net/blog/pics/3322.jpg
  • http://{BLOCKED}hoj.cn/gbot/r.php
  • http://{BLOCKED}hoj.cn/gbot/sc.cgi
  • http://{BLOCKED}hoj.cn/gbot/t.php
  • http://{BLOCKED}peranimals.com/images/im133.jpg
  • http://{BLOCKED}gamesonlines.com
  • http://{BLOCKED}rom.at/polytheism/pictures/TanzenderShiva.jpg
  • http://{BLOCKED}boardpoint.com/images/template/h.cgi
  • http://{BLOCKED}boardpoint.com/images/template/header.jpg
  • http://{BLOCKED}boardstest.com/images/im13{number}.jpg
  • http://{BLOCKED}bestfriends.com/images/im133.jpg
  • http://{BLOCKED}rchive.com/images/im13{number}.jpg
  • http://{BLOCKED}sautoelectric.com/images/50-217-1_F_1_.jpg
  • http://{BLOCKED}sautoelectric.com/images/50-217-1_F_2_.jpg
  • http://{BLOCKED}ldorderreport.com/favicon.ico
  • http://{BLOCKED}ldorderreport.com/img/3421.png
  • http://{BLOCKED}ldorderreport.com/img/3422.png
  • http://{BLOCKED}eyescat.com
  • http://{BLOCKED}backuostore4you.com
  • http://{BLOCKED}bizdirectory.com/images/PowerHideBanner.gif
  • http://{BLOCKED}bizdirectory.com/images/PowerShowBanner.gif
  • http://{BLOCKED}datingsecretfriends.com/images/im133.jpg
  • http://{BLOCKED}datingsecretfriends.com/images/im134.jpg
  • http://{BLOCKED}institute.com/g7/images/logo.jpg
  • http://{BLOCKED}institute.com/g7/images/logo2.jpg
  • http://{BLOCKED}institute.com/g7/images/logo3.jpg
  • http://{BLOCKED}einstitute.com/g7/images/logo4.jpg
  • http://{BLOCKED}genius.com/132.gif
  • http://{BLOCKED}genius.com/133.gif
  • http://{BLOCKED}genius.com/temp/head.png
  • http://{BLOCKED}pro.com/images/logo-1.jpg
  • http://{BLOCKED}ro.com/images/logo-2.jpg
  • http://{BLOCKED}tyourpc-11.com/cgi-bin/cycle_report.cgi
  • http://{BLOCKED}k.com/img/icons/facebook.png
  • http://{BLOCKED}k.com/img/icons/twitter.png
  • http://{BLOCKED}yuj.cn/gbot/r.php
  • http://{BLOCKED}yuj.cn/gbot/sc.cgi
  • http://{BLOCKED}yuj.cn/gbot/t.php
  • http://{BLOCKED}ftwaredevelopment.com/WindowsLiveWriter/web-2_0_thumb_1.gif
  • http://{BLOCKED}ckonline.com
  • http://{BLOCKED}aclubonline.com
  • http://{BLOCKED}mywebconnection.com/images/im13{number}.jpg
  • http://{BLOCKED}tekrck.com
  • http://{BLOCKED}temilkandtee.com
  • http://{BLOCKED}areconnection.com/im/s.cgi
  • http://{BLOCKED}areconnection.com/images/ubar_0.jpg
  • http://{BLOCKED}areconnectaion.com/images/ubar_1.jpg
  • http://{BLOCKED}piderwomen.com/images/im133.jpg
  • http://{BLOCKED}grammingshool.com
  • http://{BLOCKED}driversonline.com/images/im133.jpg
  • http://{BLOCKED}driversonline.com/images/im13{number}.jpg
  • http://{BLOCKED}wos.cn/g/p.php
  • http://{BLOCKED}wos.cn/g/t.php
  • http://{BLOCKED}wos.cn/gbot/ss.cgi
  • http://{BLOCKED}laucoma.org/images/lhous3.gif
  • http://{BLOCKED}laucoma.org/images/lhous4.gif
  • http://{BLOCKED}ookdatabseonline.com
  • http://www.{BLOCKED}etsecure.com/images/ismerch.gif
  • http://{BLOCKED}t.com.my/thelab/images/wiley.jpg
  • http://{BLOCKED}n.cn/2010/10/10/20101010095345843723.jpg
  • http://{BLOCKED}n.cn/2010/10/10/20101010095345843724.jpg
  • http://{BLOCKED}ts.com/images/logo.png
  • http://{BLOCKED}5.cn/jianfei/dier.jpg
  • http://{BLOCKED}5.cn/jianfei/dier2.jpg
  • http://{BLOCKED}k.com/images/im13{number}.jpg
  • http://{BLOCKED}g.com/images/im133.jpg
  • http://{BLOCKED}j.com/images/im133.jpg
  • http://{BLOCKED}m.com/images/im13{number}.jpg
  • {BLOCKED}youstudios.com
  • {BLOCKED}pdahelpforyou.com
  • {BLOCKED}reddomas.com
  • {BLOCKED}meroster.com
  • {BLOCKED}orefor.com
  • {BLOCKED}ersakkonline.com
  • {BLOCKED}iahosts.com
  • {BLOCKED}ts.com
  • {BLOCKED}azone.com
  • http://{BLOCKED}yuj.cn/gbot/sc.cgi
  • http://{BLOCKED}aclubonline.com