Blazebot

by Alexander Saprykin on July 2nd, 2013 in Malware Descriptions.

Platform: Win32
Type: Trojan
Size: 260691 bytes
Packer: unknown
Unpacked size: 368 Kb
Language: C++
MD5: 8118f3a4ff2d8d79a72b08f44a5f4310
SHA1: 3c4aa92c7bbda1c27b2600af9158aa8dbac1a4bf
Aliases: Trojan.Win32.Generic!BT, Worm:Win32/Neeris.gen!C, IRCbot

Summary

Blazebot is designed to steal users’ confidential data.

The Trojan’s name is taken from the string found in the memory dump of the Trojan process:

Technical Details

Installation

Once activated, the Trojan copies itself to the root folder using the following name – "csrss.exe":

%WinDir%\csrss.exe

Hidden and read only attributes are assigned to the file.

In order to launch automatically when Windows starts, the Trojan adds a link to its executable file in the system registry autorun key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Remote Registry Service" = "csrss.exe"

Payload

To control the uniqueness of its process in the system, the Trojan creates a unique identifier with the following name:

AAqtaarrv

The Trojan collects the following information from the compromised system:

- External IP address. To get the information, an attacker uses the following services:

http://www.whatismyip.com
http://checkip.dyndns.org

- Availability of the windows with the following class names in the system:

TskMultiChatForm.UnicodeClass – Mirc
__oxFrame.class__ – Triton
MSNHiddenWindowClass – MSN
YahooBuddyMain – Yahoo Messenger
_Oscar_StatusNotify – AIM

- Operating system version and its locale.

- Computer name.

Collected information is used when connecting to the following server:

jayne.p0rn-lover.us

The server is located in France:

The Trojan waits for C&C server commands to perform the following actions:

  • Remove itself using the command operator file saved beforehand in the current user’s Windows temporary folder with the following name:

%Temp%\removeMe <rnd>.bat

where <rnd> is a random number sequence.

  • Infect removable drives.
  • End system processes indicated by an attacker.
  • Launch a SOCKS4 proxy server on a designated TCP port.
  • Spread itself via MSN Messenger.
  • Collect bot performance statistics.
  • Steal passwords using Mozilla Firefox from the following files:

signons1.txt
signons2.txt
signons3.txt

  • Download other malicious programs to the compromised computer. The Trojan can download files using the following URL:

http://www.dropbox.com/s/5293ex38q3pdnrg/nrg.exe?dl=1

The file is 270040 bytes in size, MD5: 594b51dd4f083bc6952ab1b522a4fe9d, detected as Worm.Win32.Dorkbot by Ad-Aware. A detailed description of the malware family can be found here.

The downloaded file is then saved to the root Windows folder under the following name – "system.exe":

%WinDir%\system.exe

Once successfully saved, the file is launched for execution.

  • Sends a SYN flood to the target system. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
  • Enable RDP via script:

wmic PATH win32_terminalservicesetting WHERE (__Class!=\"\") CALL SetAllowTSConnections 1
net start \"Terminal Services\"

  • Download "rundat.exe" from FTP server:

jayne.p0rn-lover.us:8989

using login:

upload

and password:

upload

When the description was created, a file, 338944 bytes in size, MD5 7d6a4a7924bccc6537fc643e2f956c36, detected as Trojan.Win32.Ircbrute by Ad-Aware, was located on the C&C server.

The downloaded file is then saved to the temporary current user’s Windows folder under the following name:

%Temp%<rnd1>tempfile<rnd2>.exe

where <rnd1> is a random sequence of Latin alphabet characters, <rnd2> is a random number sequence.

Once successfully saved, the file is launched for execution.

  • Spread itself via MS08-067 vulnerability.

Propagation

The Trojan copies itself to the USB drives connected to the compromised computer. The Trojan creates a "Recycler" folder to which it writes its body under the following name – "csrss.exe":

<drive_latter>:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\csrss.exe

The "AutoRun.inf" file is also added to the root directory of the infected drive. It allows the Trojan’s copy to be launched each time the user opens infected USB drive using the Windows Explorer:

<drive_latter>:\autorun.inf

The "Desktop.ini" is also created:

<drive_latter>:\Desktop.ini

With the following content:

[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}

It allows registering the folder as Recycle Bin folder.

The hidden attribute is assigned to those files.

The Trojan waits for attacker’s commands and starts spreading via MSN Messenger sending itself with the following text to all contacts from the user’s contact list:

Hey got new sex Pics from me <link to the trojan executable file>. realy Sexy

In addition, the Trojan scans a range of IP address indicated by an attacker to reveal the MS08-067 vulnerability found in netapi32.dll due to an error occurring while processing RPC requests of the Server service to spread itself.

When the description was created, the Trojan received the following command from the C&C server:

Removal Recommendations

  1. Delete the following parameter from the registry key ("How to Work with System Registry"):
  2. [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "Remote Registry Service" = "csrss.exe"

  3. Reboot the PC.
  4. Delete files:
  5. %WinDir%\csrss.exe
    X:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\csrss.exe
    X:\autorun.inf
    X:\Desktop.ini
    %WinDir%\system.exe

  6. Delete the original malware file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
  7. Clean the Temporary Internet Files folder, which contains infected files ("How to clean Temporary Internet Files folder").
  8. Run a full scan of your computer using the Antivirus program with the updated definition database ("Download Ad-Aware Free").