Threat behavior
TrojanProxy:Win32/Slenugga.A is a trojan that contacts a remote server, which may request it to proxy malicious traffic to other systems. It may be downloaded and installed by variants of the
Win32/Slenfbot family.
Installation
TrojanProxy:Win32/Slenugga.A may be downloaded and installed by variants of the Win32/Slenfbot family.
When first run, TrojanProxy:Win32/Slenugga.A typically copies itself as a read-only, hidden, system file to a location such as C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1859\ls888.exe. It also creates a Desktop.ini file in the same directory, which has the effect of making the directory appear in Windows Explorer as a Recycle Bin.
It also creates a registry entry such as the following to ensure that the malware is run upon system startup:
Under key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: 12CFG214-K641-24SF-N85P
With data: C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1859\ls888.exe
Examples of combinations of registry value names and pathnames of the copied malware include the following:
Registry Value Name
|
Pathname of Malware (under C:\RECYCLER\)
|
12CFG214-K641-24SF-N85P
|
s-1-5-21-0243936033-3052116371-381863308-1859\ls888.exe
|
12CFG515-K641-55SF-N66P
|
s-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe
|
12CFG214-K641-12SF-N85P
|
s-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
|
12CFG914-K641-26SF-N32P
|
s-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe
|
13CFG914-K641-26SF-N31P
|
s-1-5-21-0243336031-4052116379-881863308-0950\vsse33.exe
|
It then injects its payload code into the explorer.exe process.
It may use a mutex such as “silinuggahxx4578” or “ajubsst” to ensure that only one copy of the malware can run at any given time.
Payload
Proxies traffic
The malware periodically connects on port 1199 to a location such as newss.alwaysproxy8.info. The remote host may respond with details of other systems to be contacted and the traffic that should be sent to them. It then connects to these systems and sends the traffic as requested. It does not listen for any incoming connections.
The server may also request that the malware delete itself from the system.
Examples of servers used in this manner in the wild include the following:
-
newss.alwaysproxy8.info
-
newss.alwaysproxy.info
-
orts.alwaysproxy4.info
-
p34s3.hmarhelo.co
Analysis by David Wood
Prevention