Home / malware BackDoor.Rebbew (A,B,C,D)
First posted on 21 November 2011.
Source: BitDefenderAliases :
BackDoor.Rebbew (A,B,C,D) is also known as Trojan.Webber, (KAV.
Explanation :
This backdoor it is not in the wild, but due to the new techniques that the backdoor uses (involving full process stealth under both Windows 9x/Me and Windows 2000/XP) we decided to release this advisory.
The backdoor comes in email messages looking like this:
From: Wells Fargo Accounting
Subject: Re: Wells Fargo Bank New Business Account Application - ID# 4489
To: Someone someone@domain.com
Dear Sir,
Thank you for your online application for a Business Account with Wells Fargo. We appreciate your
interest in banking with us.
In order to open a Business Account, we must receive specific credit information that is verifiable.
Because Wells Fargo has no locations in your state, we are unable to confirm the credit information
in your application. Consequently, we regret to say that we cannot open an account for your business
at this time.
Attached are your Wells Fargo Application and your Social Security File.
Sincerely,
Sherli Chin
Business Resource Center Services
Wells Fargo Bank
When the user opens the attachement (detected by BitDefender as Trojan.Downloader.Rebbew) the program decrypts its internal strings and attempts to download from the web the main backdoor program, and then runs it. First, the backdoor tries to see if itâ–“s already memory resident (it does this by trying to open the Mutex âÂŒ Webber10_â– ) and if not, it installs itself in memory.
Then it makes a copy of itself in the System32 directory, using a random generated file name; it also drops a DLL file in the System32 directory, used to run the main backdoor program.
The backdoor alters the registry key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
by adding there the dropped DLL; as a result, at every Windows boot the DLL gets loaded (and starts the main backdoor)
The backdoor can be easily configured : the main executable file has extra data appended, and it uses this extra data as a configuration file, at startup. This data can be used to specify the ports the backdoor listens to, the sites where to upload the confidential data it grabbed from the computer and so on.
The backdoor grabs passwords (both RAS and web form-based) and sends them to the attacker.
The interesting part of this backdoor is its capability to run in stealth mode, on both Windows 9x/Me and 2000/XP systems. The backdoor process is hidden in a fairly advanced manner:
Under Windows 9x/Me, the backdoor hooks the Process32Next function; when a program attempts to enumerate the processes, the backdoor âÂŒ filtersâ– its own process.
Under Windows 2000/XP, the backdoor hooks the NtQuerySystemInformation function, and filters its own process.The global hooking technique used by this backdoor is interesting: it saves the first 5 bytes of the function then places there a JMP instruction. The function is stored in the memory area between the PE Header and the actual data (usually padded with zeros due to file alignment) of kernel32.dll (for 9x/Me) and ntdll.dll (for 2000/XP).
For 9x, the method obviously works; there is only one kernel32.dll in memory, and a write to the kernel area is visible in all processes.
Under 2000/XP the things are different as every process receives their own copy of the system library files, protected by the COW (copy-on-write) mechanism. When a process attempts a write to a system DLL, the system automatically creates a copy, writes the data to that copy, leaving the original DLLs unaltered. However, the backdoor uses a trick to write in ntdll.dllâ–“s memory area.Last update 21 November 2011
