Backdoor:Win32/Remosh.A is a trojan that sends Windows system configuration details to a remote server and also allows remote access and control of the affected computer.
Installation
Backdoor:Win32/Remosh.A is installed by a dropper trojan such as Backdoor:Win32/Remosh.A.dr and is present as a DLL component located in the Windows system folder. The DLL runs as a service at Windows start. Below is an example of one observed registry modification made by the trojan dropper after installing Backdoor:Win32/Remosh.A to run as a service:
Sets value: "ServiceDll"
With data: "<system folder>\hpmdp093.dll"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It contains the following variables in its code; note that the actual values of the variables may change depending on the malware sample:
MUTEXNAME = "NT1630"
SHELLCOMMAND = "shell"
SERVICENAME = "6to4"
SERVICE_DISPLAYNAME = "ASP.NET Services"
SERVICE_DESCRIPTION = ""
DISABLE_IPSEC = "1"
MASTER_HOST = "<string>.is-a-chef.com"
MASTER_PORT = "80"
The malware checks for a mutex named "MUTEXNAME" to verify that it isn't already running. If found, it exits immediately; if not, it creates the mutex.
If the value of "DISABLE_IPSEC" is non-zero, the trojan stops and disables the "PolicyAgent" service, which is the IPSec service.
Win32/Remosh registers itself to run as a service named "SERVICENAME", with a display name "SERVICE_DISPLAYNAME" and a description as "SERVICE_DESCRIPTION". The service is configured so it cannot be stopped, however it does respond to system shutdown requests.
Payload
Allows remote access and control
Every 30 seconds, the malware establishes a TCP connection to "MASTER_HOST" on port "MASTER_PORT" - all subsequent communication is encrypted. The trojan sends system information (computer name, processor information, OS version).
The trojan accepts commands from the server if the server reply starts with "SHELLCOMMAND"; commands include the following:
-
enumerate terminal services sessions to show who is logged into the machine
-
enumerate system drives, collecting drive letters, types, free space and volume name
-
enumerate files by path, allowing the server to browse the contents of the file system
-
launch an executable remotely
-
open a remote command shell which allows the server to execute commands
-
enumerate registry keys
-
send screenshots from the local system to the server to show what is happening on the system
-
uninstall itself
-
move, delete or copy a file
-
set file attributes on a file
-
receive a new file from the server.
Additional Information
Note that the file name used by this trojan may vary from sample to sample. This is because this trojan is created using a construction toolkit known as "Gh0st Rat". Therefore, certain aspects of the trojan are author-defined such as the following:
- Mutex name
- Service name
- Service display name
- Service description
- IPSEC options
- Command and control server domain name
- Command and control communication port
Analysis by Aaron Putnam
