Backdoor:Win32/Allaple.D is a member of a multi-component malware family with a backdoor that performs activities such as key logging and sending system and password information to a remote server. This component downloads a number of executables used by the backdoor, determines the location of the server used by the backdoor’s controller, and launches other components of the backdoor when requested to do so.
Installation
Payload
Downloads and Installs Arbitrary Zip File
Once installed, the trojan obtains the name of a server to contact from the text file %windir%\inf\ram65xp.dll. (This file is written by the malware used to install the backdoor, and contains the location that the backdoor was downloaded from.)
It then contacts this server and downloads a DLL which is saved to <system folder>\DelZip179.dll, and a password-protected zip file, which is saved to %windir%\inf\kit.zip. It then unzips the file and writes its contents to the %windir%\inf directory.
At the time of publication, the DLL was a clean file compression library. The zip file contained two further Backdoor:Win32/Allaple components (See the
Backdoor:Win32/Allaple.E description for an example), as well as a number of utilities for obtaining system information, such as password recovery utilities and tools for examining certificate stores. Although these tools have legitimate uses, the backdoor’s controller could use these to obtain system and password information without the user’s knowledge.
Files installed at the time of publication included:
- %windir%\inf\iepv.exe – recovers passwords stored by Internet Explorer (including autocomplete, HTTP Basic Authentication, and FTP passwords)
- %windir%\inf\netpass.exe – recovers Outlook passwords, MSN messenger passwords, and passwords used to log in to other systems on the network
- %windir%\inf\outlok.exe – duplicate of netpass.exe
- %windir%\inf\rdpv.exe – recovers Remote Desktop connection passwords
- %windir%\inf\svchost\ChilkatCert_NT4.dll – certificate processing library
- %windir%\inf\svchost\extract_cert.exe – extracts certificate information from the system certificate store
- %windir%\inf\svchost\csrss.exe – Backdoor:Win32/Allaple component
- %windir%\inf\svchost\svchost. exe – Backdoor:Win32/Allaple component
Backdoor Functionality
Backdoor:Win32/Allaple.D contacts a server at 20083.maladate.com which replies with the server location of the backdoor’s controller. This server information is recorded in a text file at %windir%\inf\ram64xp.dll. If this, or the attempt to contact the backdoor server, is unsuccessful, it may attempt to obtain an alternate backdoor server location from 20083.viewjoin.com.
Examples of servers observed to have been used at the time of publication have included dino.kling.nu and cuentos.varro.es.
The backdoor contacts its controller, advising it before the file downloading activities described above are commenced, and after the file installation completes. The controller may then request that the newly installed components be launched. These components may perform such activities as keylogging, and attempting to obtain the users passwords and certificates. See the
Backdoor:Win32/Allaple.E description for an example.
Analysis by David Wood
