Win32/Bunitu

Installation

This threat is usually composed of a dropper (detected as a TrojanDropper:Win32/Bunitu variant, such as TrojanDropper:Win32/Bunitu.C) and a trojan proxy (detected as a TrojanProxy:Win32/Bunitu variant, such as TrojanProxy:Win32/Bunitu.A).

The file name of the dropper is usually random. If you were infected with it as a result of an exploit kit, then it will likely be in the Internet Explorer temporary files folder.

Some of the file names we have seen are:

• 1toman.exe
• 1erree.exe
• 1bovtensdf.exe
• 1oiran.exe
• msiexec.exe
• 7.exe
• 6.exe
• 5.exe

The dropper drops the malicious trojan proxy component, usually as a .dll file, in the <system folder> or %LOCALAPPDATA% folder with a random file name, for example:

• bilmopc.dll
• lanh32.dll
• pdafoir.dll
• topruwj.dll
• zunktir.dll

It changes the following registry entries so the .dll file runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<DLL file name without extension", for example "topruwj"
With data: "rundll32 "<location and name of DLL file>",<DLL file name without extension>", for example "rundll32 "%LOCALAPPDATA%\topruwj.dll",topruwj"

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<DLL file name without extension> 
Sets value: "Startup"
With data: "<DLL file name without extension>", for example "bilmopc"

Sets value: "DllName"
With data: "<location and name of DLL file>", for example "%LOCALAPPDATA%\bilompc.dll"

Sets value: "Impersonate"
With data: "dword:00000001"

Sets value: "Asynchronous"
With data: "dword:00000001"

Sets value: "MaxWait"
With data: "dword:00000001"

The dropper adds itself to the Windows Firewall authorized applications list by creating the following registry entry:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<location and file name of the dropper>", for example "%TEMP%\9838093.exe"
With data: "<location and file name of the dropper>:*:Enabled:<dropper file name without extension>", for example "%TEMP%\9838093.exe:*:Enabled:9838093"

Earlier variants of TrojanDropper:Win32/Bunitu drop a .sys file in the <system folder>, which is then loaded as a system driver.

The driver's main function is to monitor the trojan proxy file, to provide some stealth routines. The dropped .sys file is detected as a VirTool:WinNT/Bunitu variant, such as VirTool:WinNT/Bunitu.A.
   
We have seen the .sys file with the following names:  

• itcoe.sys
• itcom.sys
• krnllds.sys
• nvmapi.sys
• nvnapi.sys
• nvnati.sys
• nvnatv.sys
• sha1krnl.sys

Other Bunitu variants can also delete the following registry keys, which are related to security products:

• HKLM\SYSTEM\CurrentControlSet\Services\ccEvtMgr
• HKLM\SYSTEM\CurrentControlSet\Services\ccPwdSvc
• HKLM\SYSTEM\CurrentControlSet\Services\ccPxySvc
• HKLM\SYSTEM\CurrentControlSet\Services\NISUM
• HKLM\SYSTEM\CurrentControlSet\Services\SymEvent
• HKLM\SYSTEM\CurrentControlSet\Services\SYMTDI
• HKLM\SYSTEM\CurrentControlSet\Services\VFILT

Payload

Acts as a proxy

The trojan proxy variants of the family cause your PC to act as a malicious proxy host. A remote malicious hacker can then connect to the Internet or malware-related servers by using your PC as a proxy, in order to hide their activities.

These variants can then connect to a remote server. We have seen Bunito variants connect to the following remote servers:

Additional information

Variants of the trojan dropper component can also create the following mutexes to prevent more than one copy of the threat from running on your PC:

• "AHNY-SYMRW-WIRTA"
• "BPLAF-ZCCA9D-AWQJK"
• "HMK11-U9ZH1S-OWN1"
• "IBE-ECAO3Y-BQSW"
• "KMWE-V1OLLA-CVUS3"
• "KPAV-VBNLS-0FTE"
• "LOW-CCSG-K1H9AW"
• "MOPDS-XVBNS-MS1FSW"
• "NDSYUK-XV0MA-EWA"
• "OMNV-TYHSO-CBB07"
• "PRAGR-CROI0-XVEAA"
• "RMRZ-HI7REA-VILAX"
• "STW-BMHDJ-J9LFD-15OEA-REO"
• "TWBNO-5LOA-ERFD"
• "UAN-I10LIDV-VYR"

Analysis by Ric Robielos