This backdoor it is not in the wild, but due to the new techniques that the backdoor uses (involving full process stealth under both Windows 9x/Me and Windows 2000/XP) we decided to release this advisory.
The backdoor comes in email messages looking like this:
From: Wells Fargo Accounting
Subject: Re: Wells Fargo Bank New Business Account Application - ID# 4489
To: Someone firstname.lastname@example.org
Thank you for your online application for a Business Account with Wells Fargo. We appreciate your
interest in banking with us.
In order to open a Business Account, we must receive specific credit information that is verifiable.
Because Wells Fargo has no locations in your state, we are unable to confirm the credit information
in your application. Consequently, we regret to say that we cannot open an account for your business
at this time.
Attached are your Wells Fargo Application and your Social Security File.
Business Resource Center Services
Wells Fargo Bank
When the user opens the attachement (detected by BitDefender as Trojan.Downloader.Rebbew
) the program decrypts its internal strings and attempts to download from the web the main backdoor program, and then runs it. First, the backdoor tries to see if it▓s already memory resident (it does this by trying to open the Mutex ⌠Webber10_■
) and if not, it installs itself in memory.
Then it makes a copy of itself in the System32
directory, using a random generated file name; it also drops a DLL
file in the System32
directory, used to run the main backdoor program.
The backdoor alters the registry key
by adding there the dropped DLL; as a result, at every Windows boot the DLL gets loaded (and starts the main backdoor)
The backdoor can be easily configured : the main executable file has extra data appended, and it uses this extra data as a configuration file, at startup. This data can be used to specify the ports the backdoor listens to, the sites where to upload the confidential data it grabbed from the computer and so on.
The backdoor grabs passwords (both RAS
and web form-based) and sends them to the attacker.
The interesting part of this backdoor is its capability to run in stealth mode, on both Windows 9x/Me
systems. The backdoor process is hidden in a fairly advanced manner:
- Under Windows 9x/Me, the backdoor hooks the Process32Next function; when a program attempts to enumerate the processes, the backdoor ⌠filters■ its own process.
- Under Windows 2000/XP, the backdoor hooks the NtQuerySystemInformation function, and filters its own process.
The global hooking technique used by this backdoor is interesting: it saves the first 5 bytes of the function then places there a JMP
function is stored in the memory area between the PE Header and the actual data (usually padded with zeros due to file alignment) of kernel32.dll
(for 9x/Me) and ntdll.dll
For 9x, the method obviously works; there is only one kernel32.dll
in memory, and a write to the kernel area is visible in all processes.
the things are different as every process receives their own copy of the system library files, protected by the COW (copy-on-write) mechanism. When a process attempts a write to a system DLL, the system automatically creates a copy, writes the data to that copy, leaving the original DLLs unaltered. However, the backdoor uses a trick to write in ntdll.dll
▓s memory area.