Awesome backdoor is awesome! A comprehensive study.

One of the most awesome facts about Kleissner & Associates is that we are completely independent and at the same time we have very good IT security intelligence capabilities. We are a family company, not backed up by any VCs, do not have to report to anyone and can happily criticize anyone we want. It also opens the opportunity for research & development like this:

In this blog entry we are going to have a look on a backdoor from 2012 which was spread via email spam as alleged receipt. Others have analyzed this particular backdoor already with more or less detailed and accurate reports: [1] [2] [3] [4] [5]

This backdoor opens just a backdoor on port 8000 and maps it directly to the command line so that you have a remote command line. It is the most awesome backdoor and virus that we have analyzed at all, because it is so small and yet so powerful – while at the same time the researcher (us) can’t figure out any background info because there is no command & control server and nothing that gives a clue about what is actually the intention and end-result of this backdoor.

This backdoor could be spread from someone who is simply bored or by an intelligence service – there is no way to distinguish it. As this backdoor is just passively listening, one need to know the IP address of the infected machine in order to control it. An option to this would be doing massive port scans.

We figured out two major programming flaws in this backdoor which both affects its actual operational usage:

  • It does not support UPnP, so NATs and firewalls are breaking it
  • It does not add itself as exception to the Windows Firewall, so that one will pop up

As you can read on below, we developed a backdoor scanner, scanned 15% of the internet got some very interesting results! Among the results was 1 open real backdoor and a PowerGrid (according to its own name).

Technical Analysis

The analysis starts here with the extracted (unpacked) file, MD5 CF33F44D150EE590ED9DF3962A8D31D8, size 16.9 KB. Its compilation date (according to PE header time stamp) is 5/22/2012 12:55 UTC-0.

In the start routine it uses “system\currentcontrolset\services\disk\enum” and later checks for “qemu”, “vbox” and “wmwa”. That’s how it detects the VMs and sandboxes. Then it also checks for the time stamp counter (again to detect sandboxes and VMs), very easy but powerful code:

1

The other code is just used then for resolving imports, relocation and decryption of the real code. Only exactly the first part of the file contains code, the rest is the encrypted code.

Upon running it the Windows Firewall asks for permission (badly programmed, they could have added the firewall exception themselves as already pointed out):

2

It’s then just listening for incoming commands at port 8000:

3

It adds itself as very obvious “SunJavaUpdateSched” to the Run key and copies itself to C:\ProgramData\:

4

Once it runs you can do a direct telnet to the IP and port 8000.

5

This is the actual (and very easy) code which spawns the backdoor:

6

The new command line runs as sub-process of the backdoor process:

7

In the TCP traffic there is purely the command line text being transmitted:

8

The Backdoor Scanner

With the information of above it is a piece of cake for us to scan the entire internet for machines with this backdoor open and basically in theory to take control over them. The first step to this is doing port scanning of the internet (at least the IPv4 address space) for any IP with open TCP port 8000.

We used masscan and stopped after 15% of the internet was scanned. We found a total of 476.066 IPs with port 8000 open.

9

The second step is to develop your own backdoor scanner, in the screenshot below you can see some lines of the code. The scanner is very simple, it opens a TCP connection to the remote peer, then listens (reads) with a preset timeout everything into a buffer and later analyzes that buffer to verify whether there is the analyzed backdoor behind or not (in the function VerifyCommandLine). If it is, then the buffer holds the text of the command line, which usually contains the Windows version and the start line like “C:\”. We actually not only checked for the above backdoor but are also logging anything that returns “telnet” within the buffer which could also indicate a remote (even though legitimate) backdoor.

11

At one point during research we also just outputted the buffers to the command line so that we can see what services hide on the internet behind port 8000. We found plenty of HTTP servers, FTP, IRC, other messengers, SSH and apparently also IP cameras:

10

Our custom scanner is fed with the result list from masscan. Of those 476.066 IPs that have port 8000 open we found 1 real infection with the described backdoor and some others which spawn password protected telnet shells, like this power grid (at least according to its name) at 216.226.136.9:8000:

12

You really shouldn’t use insecure protocols such as telnet anywhere as its communication is unencrypted, can be easily intercepted by NSA & friends, your ISP, any relay points in the internet that your traffic comes across and anyone listening to your local network. Plus, going a step further and writing a password bruteforce program for this particular remote management backdoor would be also a piece of cake.

This is the actual scan result of the backdoor scanner:

13

Update 4/28/2014: As some researchers pointed out, this backdoor analyzed above is only used when virtual machines are detected and it’s apparently part of the Andromeda bot (it could be just used to fool researchers). There are two reports [6] [7] that dig into that. Thanks to Charlie Hurel and Raashid Bhat for pointing that out. Everything said here remains valid.