Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

BackDoor.Gootkit.112

Added to the Dr.Web virus database: 2014-03-30

Virus description added:

A multipurpose backdoor that can execute various commands coming from the remote server.

The module responsible for the backdoor's installation and its bootkit features was borrowed from the Trojan.Mayachok family of malicious programs. However, virus makers introduced a number of significant changes to the source code.

  • Original Trojan.Mayachok generated a unique VBR code which was used to create another build of the malware. In the case of BackDoor.Gootkit.112, all functions are compiled in the dropper that alters the Volume Boot Record (VBR) code during the infection process.
  • To compress the modules of Trojan.Mayachok, the aplib library was used. BackDoor.Gootkit.112 is decrypted and extracted using RtlDecompressBuffer (COMPRESSION_FORMAT_LZNT1).
  • The driver, to which VBR transfers control prior to system initialization, was also taken from the source code of Trojan.Mayachok, but the code was partially rewritten; so most of the pointers (various tables and a shellcode for injections) became position independent for unknown reasons. For example, the following routine to retrieve an address:
                                        get_shellcode2  proc near               
    ; CODE XREF: csrss_inject+67p
    .text:10006645 E8 00 00 00 00                       call    $+5
    .text:1000664A 58                                   pop     eax
    .text:1000664B 83 C0 05                             add     eax, 5
    .text:1000664E C3                                   retn
    .text:1000664E                      get_shellcode2  endp
    .text:1000664E
    .text:1000664F                      
    ; ========= S U B R O U T I N E ===========================
    .text:1000664F                      ; Attributes: noreturn bp-based frame
    .text:1000664F
    .text:1000664F                      shellcode2      proc near
    Another example is related to string generation. The routine looks as follows:
    .text:10003B0B                 push    ebp
    .text:10003B0C                 mov     ebp, esp
    .text:10003B0E                 sub     esp, 78h
    .text:10003B11                 call    get_api_table
    .text:10003B16                 mov     [ebp+pAPITable], eax
    .text:10003B19                 cmp     [ebp+pAPITable], 0
    .text:10003B1D                 jz      no_apitable
    .text:10003B23                 mov     dword ptr [ebp+szRegistryPath], 52005Ch 
    ; REGISTRY\MACHINE\CURRENTCONTROLSET\SERVICES\null
    .text:10003B2A                 mov     dword ptr [ebp+szRegistryPath+4], 470045h ; 
    .text:10003B31                 mov     dword ptr [ebp+szRegistryPath+8], 530049h ; 
    .text:10003B38                 mov     dword ptr [ebp+szRegistryPath+0Ch], 520054h ; 
    .text:10003B3F                 mov     dword ptr [ebp+szRegistryPath+10h], 5C0059h ; 
    .text:10003B46                 mov     dword ptr [ebp+szRegistryPath+14h], 41004Dh ; 
    
    However, some pointers remained intact. In particular, one of them refers to the following quotation by Homer Simpson: “Just pick a dead end and chill out till you die”, which is output in the debugger once initial initialization of the loader is complete.

The Gootkit name can be found in both the loader and the payload module code.

screen

In addition, all driver components responsible for its interaction with other modules operating in user mode were also removed—in particular, the driver that allowed those modules to use VFS. However, BackDoor.Gootkit.112 still has features responsible for VFS initialization and protection.

Unlike Trojan.Mayachok whose payload was incorporated into the loader, BackDoor.Gootkit.112 stores information on payload modules in the HKLM\SOFTWARE\CXSW registry branch as binaryImage32 or binaryImage64, depending on the OS platform (32-bit or 64-bit).

screen

To retrieve the payload, BackDoor.Gootkit.112 injects a special shellcode into SERVICES.EXE, EXPLORER.EXE, IEXPLORE.EXE, FIREFOX.EXE, OPERA.EXE, and CHROME.EXE. The main purpose of the injected shellcode is to download the payload module from the system registry or from a remote server on the Internet. Payload binary files are compressed and encrypted.

Bypassing UAC

To bypass UAC (User Accounts Control) and elevate its own privileges, BackDoor.Gootkit.112 uses a shim (Microsoft Windows Application Compatibility Infrastructure). The Trojan employs the SQL Server Client Network Utility (cliconfg.exe) whose manifest file has the AutoElevate attribute set to “true”; thus, Windows elevates privileges for such applications without involving UAC.

BackDoor.Gootkit.112 uses the apphelp.dll library (SdbCreateDatabase, SdbDeclareIndex, SdbWriteStringTag, and so on) to create a database. The Trojan generates the database name and the value of the Application parameter randomly.

...
      if(!SdbWriteStringTag(hDb, TAG_NAME, szAppName))
        break;
      if(!SdbWriteStringTag(hDb, TAG_APP_NAME, SHIM_APP_NAME))
        break;
      if(!SdbWriteStringTag(hDb, TAG_VENDOR, _T("Microsoft")))
        break;
...
      SdbWriteStringTag(hDb, TAG_COMPANY_NAME, _T("Microsoft Corporation"));
      SdbWriteStringTag(hDb, TAG_INTERNAL_NAME, szAppName);
      SdbEndWriteListTag(hDb, listMatch);
      TAGID listShim = SdbBeginWriteListTag(hDb, TAG_SHIM_REF);
      SdbWriteStringTag(hDb, TAG_NAME, _T("RedirectEXE"));
      SdbWriteStringTag(hDb, TAG_COMMAND_LINE, szTargetApp);
      SdbEndWriteListTag(hDb, listShim);
...

The RedirectEXE shim is used to load the Trojan. This shim allows to run a modified version of a specified application or the malicious program itself instead of the original executable file. BackDoor.Gootkit.112 employs RedirectEXE parameters to specify the path to its executable and a link to the created database.

screen

Once the database is created, it gets installed on the system by means of sdbinst.exe whose manifest file has also the AutoElevate parameter set to “true”; so this utility runs with special privileges. Overall, the UAC bypass scheme looks as follows:

  1. The Trojan creates and installs a new database (shim).
  2. Then it launches cliconfg.exe with elevated privileges.
  3. The shim unloads the original process and uses RedirectEXE to launch the Trojan.

Payload

The Trojan's payload is implemented as an executable file of about 5 MB written in C++. Most of this file is a JavaScript interpreter known as Node.JS. The executable file contains more than 70 pieces of JavaScript code; a significant portion of them constitutes the Node.JS core that provides an easily accessible interface to work with native objects. Some scripts incorporate the Trojan's payload; they enable the backdoor to execute commands coming from the remote server and download additional modules stored in the Windows registry (together with the main module of BackDoor.Gootkit.112).

The Trojan can execute the following commands:

  • Intercept HTTP traffic
  • Perform web injections
  • Block specific URLs
  • Take screenshots
  • Acquire the list of running processes
  • Acquire the list of local users and groups
  • End specified processes
  • Execute shell commands
  • Launch executable files
  • Update itself

In addition to that, BackDoor.Gootkit.112 can perform some other commands.

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android