Home / malwarePDF  

Trojan.Downloader.Bredolab.U


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Downloader.Bredolab.U is also known as Backdoor.Win32.Bredolab.gw, TrojanDownloader:Win32/Bredolab.X, Trojan.Bredolab.

Explanation :

This malware is known for downloading rogue antiviruses (e.g. PC Antispyware 2010): software products which once installed will generate alerts of fake infections and urge the user to fix those issues. The user is informed that in order to clean his computer of the threats, he needs to buy a license of that specific AV. In reality the product even after being licensed/registered will not delete any file or otherwise fix any of the detected issues.

Trojan.Downloader.Bredolab.U has 2 components:
- packed main executable
- downloader (which is never written on disk directly but is injected into other processes)

Main executable has the task of evading antivirus detections and is packed by a polymorphic packer on top of a standard UPX. Once a variant is detected the packer is modified to evade detection once again.

Original executable employs different tricks to make analysis and detection harder:
* custom packer;
* encrypted strings which are decrypted just prior to usage and then re-encrypted;
* dynamic resolved api based on custom checksums;
* detection of various malware analysis environments: VMWare, VBOX, Sandboxie (not used at this point but included in the binary)
* usage of known exploits (like MS07-17 or using ZwSystemDebugControl undocumented function to write to kernel regions) to execute code from kernel mode in order to remove hooks on various kernel exported functions:
* ZwAllocateVirtualMemory
* ZwWriteVirtualMemory
* ZwProtectVirtualMemory
* ZwCreateThread
* ZwAdjustPrivilegesToken
* ZwOpenProcess
* ZwOpenThread
* ZwQueueApcThread
* ZwSetValueKey
* unhooking for user mode apis: malware restores code for each of the apis it uses from disk image (original dll on disk).

Once executed the original application does the following:
* resolves needed apis
* checks Windows version and if it's not Win2K or above it exits
* if it's running under the name "dfqupd32.exe" it executes the code to remove hooks from kernel mode apis and then it creates an instance of "svchost.exe" which it hijacks with the downloader (which is embedded in an encrypted form inside the packed binary).
* if it's running under the name "explorer.exe":
* it copies itself into the startup shell folder directory (taken from "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersStartup") with the name "dfqupd32.exe". This assures that the malware will be executed at startup on the infected machine.
* creates a custom unique mutex
* unhooks usermode apis
* decrypts embedded downloader and injects it in a hijacked "svchost.exe"
* if it's not running as "explorer.exe":
* tries one of the 3 exploits to execute code from kernel mode in order to unhook the needed kernel exported apis
* injects itself into a running version of "explorer.exe".

The downloader is a standard downloader connecting, in this case, to mudstrang.ru and requesting a download. The server send encrypted executable which is decrypted by the downloader and executed on the infected machine. Usually the payload is represented by rogue antiviruses.

Last update 21 November 2011

 

TOP