Backdoor:Win32/Jukbot.A is a botnet component that allows backdoor access and control to an affected computer, and in doing so can launch a distributed denial of service (DDoS) attack using UDP, ICMP and HTTP flooding.
Installation
The backdoor has been observed using different file names and service names when it is dropped on to the computer.
When run, it copies itself to the <system folder> under different file names, for example, "panp.exe", "slnso.exe", "btlp.exe", and so on.
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Backdoor:Win32/Jukbot.A registers itself as Windows service using various service names to ensure that its copy executes at each Windows start. The backdoor makes the following changes to the registry:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\<service name>
Sets value: "Type"
With data: "dword:00000010"
Sets value: "Start"
With data: "dword:00000002"
Sets value: "ErrorControl"
With data: "dword:00000001"
Sets value: "ImagePath"
With data: <dropped malware path>
Sets value: "DisplayName"
With data: "<service name>"
Sets value: "ObjectName"
With data: "LocalSystem"
Sets value: "Description"
With data: "Network address translation for virtual networks.If this service is stopped, protected content might not be down loaded to the device."
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\VMservices\Security
Sets value: "Security"
With data: hex: <Hex Value>
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\VMservices\Enum
Sets value: "0"
With data: "Root\LEGACY_VMSERVICES\0000"
Sets value: "Count"
With data: "dword:00000001"
Sets value: "NextInstance"
With data: "dword:00000001"
In subkey: HKLM\SYSTEM\CURRENtcoNtrolset\services\<service name>
Sets value: "<malware file name>"
With data: "<system folder>\<malware file name>"
In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VMSERVICES
Sets value: "NextInstance "
With data: "dword:00000001"
In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VMSERVICES\0000
Sets value: "Service"
With data: "<service name>"
Sets value: "Legacy"
With data: "dword:00000001"
Sets value: "ConfigFlags"
With data: "dword:00000000"
Sets value: "Class"
With data: "LegacyDriver"
Sets value: "ClassGUID"
With data: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
Sets value: "DeviceDesc"
With data: "<service name>"
Sets value: "DeviceDesc"
With data: "<service name>"
In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VMSERVICES\0000\Control
Sets value: "*NewlyCreated*"
With data: "dword:00000000"
Sets value: "ActiveService"
With data: "<service name>"
In the wild, we have observed some variants of Backdoor:Win32/Jukbot.A creating the following registry entry:
In subkey: HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\Set
Sets value: "Beizhu"
With data: "JK"
Payload
Allows backdoor access and control
Backdoor:Win32/Jukbot.A attempts to connect to a predetermined command and control server. In the wild, we observed the malware connecting to one of the following domains:
- <website>.2288.org
- <website>.3322.org
Using this backdoor, an attacker can perform a number of actions on an affected computer. For example, an attacker may be able to perform the following actions:
- Delete its service
- Download and execute files from a given URL
- Execute commands
- Reboot, shutdown and power off the computer
- Launch denial of service attack (DDOS) using UDP, ICMP, HTTP floods
- Stop the DDoS attack
The backdoor may also send information back to a remote attacker, such as:
- Computer name
- Operating System version
- CPU speed
- Physical RAM
- CPU model
Analysis by Rex Plantado & Dan Kurc
