Threat behavior
Backdoor:Win32/Rbot.NF is a backdoor Trojan that runs in the background, gathers software installation and computer configuration details, and connects to an IRC server to receive commands from remote attackers. Commands could include instructions to spread to other computers via open network shares or by exploit of a security vulnerability, or to launch a denial of service (DoS) attack against specified targets.
When Backdoor:Win32/Rbot.NF is executed, it performs the following actions:
Copies itself as <system>\inetsrv\winlogins.exe, setting the file attributes to hidden and read-only.
Runs this copy of itself and deletes the original Trojan file
Propagates itself to other computers across a network by:
Registers itself as a service, so that the Trojan process continues to run even after the user logs off:
Adds value: Windows Logins Screen
With data: winlogins.exe
To subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Connects to TCP port 113, similar to Internet relay chat (IRC) clients, for the purpose of IRC server authentication
Connects to a remote IRC server and channel using TCP port 80, and awaits commands from remote attackers
Commands may include the following instructions:
Search for files
Send process list, network configuration and system information or clipboard data
Initiate a remote shell
Terminate threads
Send, receive or execute files
Capture a screen image
Perform a DNS look-up
Removing itself from the infected machine
Conduct DoS attacks against specified targets
Backdoor:Win32/Rbot.NF makes additional registry entries that may lower security settings:
Adds value: "C:\WINDOWS\System32\inetsrv\winlogins.exe"
With data: <system folder>\inetsrv\winlogins.exe:*:enabled:windows logins screen
To subkey:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Adds value: "DisallowRun"
With data: 1
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Adds value: "Protected system files1
With data: "avgupsvc.exe"
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Adds value: "EnableDCOM"
With data: "n"
In subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
Add value: "TransportBindName"
With data: ""
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Adds value: "restrictanonymous"
With data: 2
In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Backdoor:Win32/Rbot.NF drops a new HOSTS with the intent block HTTP access to various Web sites, many that are antivirus and security related sites. The new HOSTS file may look benign upon first inspection as more than 100 blank lines are inserted a the beginning of the configuration file, followed by multiple listings for various Web sites resolving to 127.0.0.1.
Prevention
