BKDR_CYCBOT.CS

This backdoor acts as a proxy server that intercepts requests from certain Internet browsers and points them to the proxy server on port 63414.

It monitors certain strings in the address bar of the browser to hijack the user's browsing activity.

Once any of these strings matches, this malware may then redirect the user to a different site (ads sites, malicious sites, etc.) issued by the remote malicious user.

It connects to certain sites to send and receive information(such as user's browsing details), to receive commands, and to download updated copies of itself.

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be downloaded by other malware/grayware/spyware from remote sites.

It does not have any propagation routine.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be downloaded by other malware/grayware/spyware from remote sites.

Installation

This backdoor drops and executes the following files:

• %Program Files%\LP\{random}\{number}.exe - detected as TSPY_FTPSTEAL.CS

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

It drops the following copies of itself into the affected system:

• %User Profile%\Application Data\{random}\{random}.exe
• %Program Files%\{random}\lvvm.exe
• %Program Files%\LP\{random}\{random}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.. %Program Files% is the default Program Files folder, usually C:\Program Files.)

It drops the following non-malicious file:

• %User Profile%\Application Data\{random}\{random}.{random} - log file

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It creates the following folders:

• %User Profile%\Application Data\{random}
• %Program Files%\{random}
• %Program Files%\LP
• %Program Files%\LP\{random}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.. %Program Files% is the default Program Files folder, usually C:\Program Files.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• {A1D429DE-B782-4253-84AD-6E09A8438AD5}
• {35BCA615-C82A-4152-8857-BCC626AE4C8D}
• {4D92BB9F-9A66-458f-ACA4-66172A7016D4}
• {C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
• {43B671F0-5D50-4dbe-AD9C-64A6167C57AD}
• {6B985724-623F-492e-B0D6-C9715ADE853B}
• {B37C48AF-B05C-4520-8B38-2FE181D5DC78}
• {95F6585C-CC1E-4b52-A63B-9FBC6A94F371}

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "explorer.exe,%User Profile%\Application Data\{random}\{random}.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random}.exe = "%Program Files%\LP\{random}\{random}.exe"

Other System Modifications

This backdoor adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
ProxyServer = "http=127.0.0.1:63414"

It modifies the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
ProxyEnable = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_CONFIG\Software\Microsoft\
windows\CurrentVersion\Internet Settings
ProxyEnable = "1"

(Note: The default value data of the said registry entry is 0.)

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc

Propagation

This backdoor does not have any propagation routine.

Other Details

This backdoor connects to the following URL(s) to check for an Internet connection:

• http://www.google.com/
• http://www.yahoo.com/

NOTES:

This backdoor acts as a proxy server that intercepts requests from the following Internet browsers and points them to the proxy server on port 63414:`

• Chrome
• Internet Explorer
• Mozilla Firefox
• Opera
• Safari

It also modifies the following preference files to point the related browsers to the proxy server on port 63414:

• %User Profile%\Application Data\Opera\Opera\operaprefs.ini
• %User Profile%\Mozilla\Firefox\Profiles\(profile folder)\prefs.js

It monitors the following strings in the address bar of the browser in order to hijack the user's browsing activity:

• &query=
• .2mdn.
• .abmr.
• .adtechus.
• .aol.
• .atdmt.
• .atwola.
• .autodatadirect.
• .bing.net
• .dartsearch.
• .doubleclick.
• .ggpht.
• .google
• .ivwbox.
• .mapquestapi.
• .microsoft.
• .opera.
• .tacoda.
• .thawte.
• .tlowdb.
• .truveo.
• .virtualearth.
• .wsod.
• .yimg.com
• .ypcdn.
• /complete/search
• /gen_204
• /images
• /imglanding
• ?query=
• amazon.
• aol/search
• aolcdn.
• aolsvc.
• bing.com
• bing.com/search
• bing.com:80/search
• blogger
• brightcove.com
• doubleclick.
• ebay.
• err069
• facebook.
• flickr
• google-analytics.
• google.
• googlesyndication.
• googleusercontent.
• gstatic.
• http%3A%2F%2F
• imdb.
• mapq.st
• scorecardresearch.com
• search.aol.
• search.yahoo.com/search
• searcht2.aol.
• start=
• start=0
• suche.aol.
• twitter.
• wikimedia.
• wikipedia.
• yahoo.
• yahoo.com
• youtube.
• ytimg.

Once any of these strings matches, this malware may then redirect the user to a different site (ads sites, malicious sites, etc.) issued by the remote malicious user.

It connects to the following sites to send and receive information (such as user's browsing details), to receive commands, and to download updated copies of itself:

• {BLOCKED}yourimage.com
• {BLOCKED}domaintolevel.com
• {BLOCKED}-sys.com
• {BLOCKED}iser.com
• {BLOCKED}astore.com
• {BLOCKED}orageforyou.com
• {BLOCKED}pdahelpforyou.com
• {BLOCKED}reddomas.com
• {BLOCKED}ersakkonline.com
• {BLOCKED}iahosts.com

It also sends HTTP requests to the following compromised sites to pollute network traffic:

• http://alleducationalsoftware.com/creditcard.png
• http://alleducationalsoftware.com/creditcard2.png
• http://alleducationalsoftware.com/creditcardlogos.gif
• http://binghamtonschools.org/images/297893.jpg
• http://binghamtonschools.org/images/297894.jpg
• http://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg
• http://cdn.adventofdeception.com/logo.png
• http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png
• http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png
• http://complaintsboard.com/complaints/logo.png
• http://complaintsboard.com/complaints/rar.png
• http://complaintsboard.com/complaints/zip.png
• http://freedownload3.com/screenshot/4/s/89_3276.gif
• http://freedownload3.com/screenshot/4/s/89_3277.gif
• http://freedownload3.com/screenshot/4/s/89_3278.gif
• http://highspeedinternetlosangeles.webnode.com/news/1.cgi
• http://highspeedinternetlosangeles.webnode.com/news/1.php
• http://highspeedinternetlosangeles.webnode.com/news/2.php
• http://istockanalyst.com/12.jpg
• http://istockanalyst.com/png/intel.gif
• http://istockanalyst.com/png/intel.jpg
• http://jointhenewworldorder.com/images/pages.jpg
• http://jointhenewworldorder.com/images/pages.png
• http://newworldorderreport.com/favicon.ico
• http://newworldorderreport.com/img/3421.png
• http://newworldorderreport.com/img/3422.png
• http://patentgenius.com/132.gif
• http://patentgenius.com/133.gif
• http://patentgenius.com/temp/head.png

It may download a FAKEAV variant called Cloud AV 2012 from the following sites upon receiving remote commands:

• {BLOCKED}youstudios.com
• {BLOCKED}khypnocrys.com

This backdoor checks for installed antivirus software by checking the following strings in memory:

• Avast
• AvastUI.exe
• AVG Security Toolbar Service
• AVG Software Installer
• avgchsvx.exe
• avgemcx.exe
• Avgfwfd
• avgfws
• AVGIDSAgent
• AVGIDSAgent.exe
• AVGIDSDriver
• AVGIDSEH
• AVGIDSFilter
• AVGIDSMonitor.exe
• Avgldx64
• Avgmfx64
• avgnsx.exe
• avgnt.exe
• Avgrkx64
• avgrsx.exe
• Avgtdia
• Avgtdix
• avgtray.exe
• avgwd
• avgwdsvc.exe
• Avira
• BitDefender
• ccsvchst.exe
• Dr.Web
• ESET NOD32
• Kaspersky
• McAfee
• mcagent.exe
• Norton

It may also redirect the user when the address bar contains any of the above-mentioned strings. It does this by redirecting the user's search result to random URL sites. This also prevents the user from accessing sites that belongs to these Antivirus Software.

It checks %Program Files% directory with the following strings:

• Alwil Software*
• Avast*
• Avira*
• McAfee*
• Norton*
• Symantec*

It may then report installed antivirus software to the following site:

• http://{BLOCKED}ts.com/images/logo.png

This backdoor does not have rootkit capabilities.

This backdoor does not exploit any vulnerability.