Threat behavior
Backdoor:Win32/Sdbot.UD is a backdoor trojan that allows unauthorized access and control of the affected machine.
Installation
When executed, Backdoor:Win32/Sdbot.UD copies itself to <system folder>\drivers\ntndis.exe and modifies the registry to run this file at each Windows start:
Adds value: "Shell"
With data: "explorer.exe <system folder>\drivers\ntndis.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
The trojan also creates the mutex '21853768232324616' in order to ensure that only one copy of the trojan runs at any time.
Payload
Modifies System Security Settings
The trojan adds itself to the Windows Firewall authorized applications list by making the following modification to the registry:
Adds value "<Path to Malware File>"
With data: "<Malware File>:*:enabled:control"
To subkey: HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Backdoor Functionality: TCP Port 4321
This trojan allows unauthorized access and control of an affected machine. It opens and listens on TCP Port 4321 for commands from a remote attacker. Using this backdoor, an attacker can perform the following actions on an affected machine:
- Performs DDoS (Distributed Denial of Service) attacks using methods such as HTTP, UDP, ICMP and SYN flooding
- Sends e-mail using its own SMTP engine
- Uploads files
- Downloads and executes arbitrary files
- Lists and kills processes
- Sets FTP, Socks4, or Socks5 servers
Uses Advanced Stealth
This trojan may drop and install the following rootkit component to the affected machine:
- %windir%\\system32\\drivers\\ntndis.sys
This component is used to hide the trojan's presence from an affected user.
Analysis by Lena Lin
Prevention
