by RSS He Xu  |  Nov 17, 2014  |  Filed in: Security Research

At the end of October, a bot that we have not tracked before
appeared in our system. Our initial analysis of its features got our attention as it revealed some behaviour that are considered dangerous to infected users. After tracking its history using our monitoring system, we found out that it has been distributed by a well-known botnet, Andromeda 2.09, since September, 2014.

As a new addition to the botnet families that we are continually tracking, we are now going to discuss our initial analysis of this botnet, which is named Recslurp. In this blog post, we will be discussing the variant that we detect as W32/Recslurp.D!tr.

Replace System Processes !!!

Unlike other malware that just copies itself as a new file, the Recslurp bot tries to replace original system files that are under the System folder. The following critical executable files are the current targets.

  • %System%\csrss.exe
  • %System%\rundll32.exe
  • %System%\svchost.exe

Once the system files are replaced, the whole system could enter danger and would not be functional. The missing csrss.exe will cause the system to be unable to boot up; the missing rundll32.exe will prevent most applications from loading their modules; and the missing svchost.exe will terminate most services. Based on this behaviour, we could assume that the malware author is probably a newbie who is not that familiar with the Windows system architecture and may not be aware that this bot may cause endless madness.

Fortunately, the Windows system has its defense against this rude replacement. The running processes are not allowed to be changed, so csrss.exe under the System folder should be safe, as is svchost.exe. However, the the last victim target rundll32.exe is not so lucky to always be running and thus, can be replaced permanently.

If the replacement of the system files fails, the bot will try to copy itself into the following folders instead:

  • %AppData%\csrss.exe
  • %AppData%\rundll32.exe
  • %AppData%\svchost.exe

This backup plan should succeed very easily.

Autorun Registry Entries

After dropping its copies, the bot adds the corresponding autorun registry entries:

key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
value: Client Server Runtime Process
data: [<%System%> or <%AppData%>]\csrss.exe

key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
value: Host-process Windows (Rundll32.exe)
data: [<%System%> or <%AppData%>]\rundll32.exe

key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
value: Service Host Process for Windows
data: [<%System%> or <%AppData%>]\svchost.exe

The three registry entries above may all exist at the same time to make sure that the bot can run successfully every time the infected user logs on.

In case the bot fails to drop any copies of itself, it will just use its original path and file name in its autorun registry entry:

key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
value: Microsoft Windows
data: [Bot’s original path and file name]

Data in the Registry

The bot saves its sensitive data into the following registry entry:

key: HKEY_CURRENT_USER\Software\Microsoft\Shared Police
value: MachineParamCPUU
data: [Binary data]

We are still investigating this part to identify the details. We will provide more information when we finish this process.

Hardcoded C&C IP and Port

The command-and-control (C&C) server IP and port are both hardcoded in the bot binary.

Title

Figure 1. Hardcoded C&C IP and port.

The initial traffic that it sends looks like the following:

Title

Figure 2. Initial traffic from Recslurp.

Conclusion

From our initial analysis of this bot, we can see that it has some major aggressive local behavior that may cause the infected system to be terribly unstable. Our monitoring system will continually track its activity while we continue to analyze its details. We will keep you updated as we get more information.

by RSS He Xu  |  Nov 17, 2014  |  Filed in: Security Research

comments powered by Disqus