Announcement Announcement Module
Collapse
No announcement yet.
Virus Alert:: Backdoor:MSIL/Bladabindi Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Virus Alert:: Backdoor:MSIL/Bladabindi

    Virus Alert:: Backdoor:MSIL/Bladabindi

    Virus type: Backdoor

    It has been reported that variants of malware called Bladabindi are spreading.
    This malware steals sensitive user information from infected computer system.
    Bladabindi could also be used as malware downloader to propagate further malware and provide backdoor access to the remote attacker.
    Some of the Bladabindi variants could capture keyboard press,control computer camera and later send collected sensitive information to remote attacker.

    Bladabindi is infecting Microsoft Windows operating system and spreading via infecting removable USB flash drives and via other malwares.
    Aliases: Trojan.MSIL.Disfa.bsto (Kaspersky), winpe/Troj_Generic.OEKLP(Norman), Generic34.AXLL (AVG), TR/MSILKrypt.6.258 (Avira),Gen:Variant.MSILKrypt.6 (BitDefender), Win32.HLLW.Autoruner.25074 (Dr.Web),MSIL/Injector.BOX trojan (ESET), MSIL/Injector.PEW!tr (Fortinet),TR/Bladabindi.J.1 (Avira), Trojan.Bladabindi!4BAD (Rising AV), Troj/Bbindi-A (Sophos), Trojan/Win32.Jorik (AhnLab), W32/Bladabindi.D (Norman), Trojan.Bladabindi!4D1D (Rising AV)

    Bladabindi variants can be created using a publically available malicious hacker tool.
    Attacker can create a malicious file using any choice of icon to mislead or entice naïve user into running the malicious file.
    Some of the sample file icons used by Bladabindi are shown below:

    Installation:
    Backdoor:Bladabindi variants copies itself to the following locations:
    • It copies itself to the startup folder to make sure it runs each time system boot up.
    <startup folder> \<32 random alpha-numeric characters>.exe
    for example <startup folder>\ 5cd8f17f4086744065eb0992a09e05a2.exe
    • %TEMP% \<variable name>.exe
    for example %TEMP%\svhost.exe
    • %APPDATA%
    • %USERPROFILE%
    • %ALLUSERSPROFILE%
    • %windir%

    It also changes the following registry entry to make sure it runs each time system boot up:
    In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run Sets value: "<32 random alpha-numeric characters>" for example,
    "5cd8f17f4086744065eb0992a09e05a2" With data: "%TEMP%\<variable name>.exe"

    In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run Sets value: "<32 random alpha-numeric characters>" for example
    "5cd8f17f4086744065eb0992a09e05a2"
    With data: "%TEMP%\<variable name>.exe

    It also runs net.exe to add itself to the firewall exclusion list and bypass your firewall.

    Propagation method:

    Removable drives
    Some Bladabindi variants copy themselves into the root folder of a removable drive and create a shortcut file with the name and folder icon of the drive.
    When user clicks on the shortcut, the malware get executed and Windows Explorer is opened.
    This makes it seems as if nothing malicious happened.
    The malicious file can also be downloaded by other malware, or spread though malicious links and hacked websites.
    Backdoor:MSIL/Bladabindi can also be downloaded by recent variants of the Worm:VBS/Jenxcus family and a dedicated downloader TrojanDownloader:MSIL/Bladabindi.A.

    Payload:
    Steals sensitive information
    Bladabindi provides backdoor access of infected computer system to the remote attacker to steal sensitive information:
    • Computer name, country and serial number
    • Windows user name
    • Computer's operating system version
    Bladabindi variants can also steal information such as:
    • Chrome stored passwords
    • DnyDNS information
    • Firefox stored passwords
    • IE 7 stored passwords
    • No-ip/DUC information
    • Opera stored passwords
    • Paltalk credentials
    The malware can also use infected computer's camera to record and steal personal information.
    It checks for camera drivers and installs a DLL plugin so it can record and upload the video to a remote attacker.
    The malware can also log/capture keystrokes to steal credentials i.e. user names and passwords.
    The collected data is saved in %TEMP%\<variable name>.exe.tmp and later can be uploaded to a malicious remote attacker.
    Accepts backdoor commands Backdoor:MSIL/Bladabindi can also receive the below mentioned backdoor
    commands:
    • Capture screenshots
    • Compress data to be uploaded
    • Connect to remote servers
    • Download and run files
    • Exit
    • Load plugins dynamically
    • Manipulate the registry
    • Open a remote shell
    • Ping a remote server
    • Restart your PC
    • Uninstall itself
    • Update itself
    The trojan can connect to remote servers to download and install updates or other malware: [Replace [d0t] with “.” For actual domain.]
    • fox2012.no-ip[d0t]org
    • jn.redirectme[d0t]net
    • moudidz.no-ip[d0t]org
    • reemo.no-ip[d0t]biz

    Avoids detection
    Bladabindi uses various .NET obfuscators to hide its code. It also makes itself a critical process to prevent it being stopped.
    Infected system may crash with a stop code 0x000000F4 if the malware process is interrupted.
    This makes it hard to clean infected system when the malware is running.

    Symptoms:
    The following could indicate the presence threat on computer system:
    • These entries or keys in registry:
    In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    Sets value: "<32 random alpha-numeric characters>" for example,
    "5cd8f17f4086744065eb0992a09e05a2"
    With data: "%TEMP%\<variable name>.exe"

    In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    Sets value: "<32 random alpha-numeric characters>" for example
    "5cd8f17f4086744065eb0992a09e05a2"
    With data: "%TEMP%\<variable name>.exe"

    • System may crash with a stop code 0x000000F4 when user tries to remove malware from infected system.
    Countermeasures:
    • Scan computer system with the free removal tools suggested below.
    • Disable the Autorun functionality in Windows http://support.microsoft.com/kb/967715
    • Use USB clean/vaccination software.
    • Keep up-to-date patches and fixes on the operating system and application software.
    • Keep up-to-date Antivirus and Antispyware signatures at desktop and gateway level.
    • Do not follow unsolicited web links or attachments in email messages.
    • Exercise caution while visiting links to Web pages.
    • Do not visit untrusted websites.
    • Use strong passwords and also enable password policies.
    • Enable firewall at desktop and gateway level.
    • Protect yourself against social engineering attacks.
    • Monitor systems making connections to the abovementioned domains
    • Limit user privileges

    Removal tools:
    • Microsoft Security Essentials
    • Windows Defender
    • Microsoft Safety Scanner
    http://www.kaspersky.com/antivirus-removal-tool?form=1
    http://www.norman.com/home_and_small...malware_cleaner
    http://www.avg.com/in-en/homepage
    http://www.f-secure.com/en/web/labs_.../removal-tools
    http://www.sophos.com/en-us/products...oval-tool.aspx
    http://in.norton.com/support/DIY/
    http://www.avira.com/en/support-down...r-removal-tool
    http://www.eset.com/us/download/utilities/
    • How to prevent malware infection


    References:

    http://blogs.technet.com/b/security/...d-jenxcus.aspx

    http://www.microsoft.com/security/po...adabindi#tab=1

    http://www.microsoft.com/security/po...adabindi#tab=1

    http://www.microsoft.com/security/po...adabindi#tab=1
    http://www.microsoft.com/security/po...revention.aspx
Tag Cloud Tag Cloud Module
Collapse
Working...
X