Threat behavior
Backdoor:Win32/Hackdef.O can be started in two ways:
-
Locally, by user interaction such as clicking a Web link or an e-mail attachment.
-
Remotely, by a process on another computer that is scanning the network. If the scanner finds a computer that can be compromised, it can exploit a vulnerability to locate, install, or reinstall Backdoor:Win32/Hackdef.O and run it on the target computer.
If Backdoor:Win32/Hackdef.O infects a computer through a user account that has administrator privileges, it infects the current session and subsequent sessions of all users. If this Trojan infects a computer through a user account that does not have administrator privileges, it infects current and future sessions of only that user.
Backdoor:Win32/Hackdef.O runs as a process and installs itself as a service. When it runs, it takes the following actions:
-
Checks for the presence of configuration code that it recognizes. The code contains parameters for changing settings on the computer. For example, the code can be in a .dll or .ini file, or in the Trojan code itself. Settings in the configuration code determine rootkit operations such as:
-
Hiding system resources, including system memory, files, processes, services, registry keys, opened TCP and UDP ports, and other settings.
-
Providing and controlling backdoor functionality.
-
Providing proxy services.
-
Creates mailslots on the computer, for example, \\.\mailslot\joske-sl100s. The mailslot functions as a backdoor to receive commands and return information to an attacker. The Trojan first creates a default mailslot. Then for each attacker, the Trojan creates a separate, private mailslot and notifies the attacker of the mailslot name. The attacker can then send commands through the private mailslot to control the Trojan functionality on the computer. For example, the attacker may refresh a configuration or initialization file.
-
Creates a mapping object in memory to store original code from Windows system APIs.
-
Checks for the presence of a driver that it needs to run custom code in kernel mode.
-
Saves the driver to a file, so that the driver runs whenever Windows starts.
-
Starts the driver. The driver duplicates process tokens to obtain process-related information so that the Trojan can alter functionality of those processes as they run from memory.
-
Creates new registry keys. For example, it creates a registry key to run the driver each time Windows starts.
- Infects Windows system APIs residing in memory locations allocated to various processes. This can include APIs from one or more of the following .dll files:
advapi32.dll
kernel32.dll
ntdll.dll
ws2_32.dll
wsock32.dll
Prevention
