Home / malwarePDF  

Backdoor:MSIL/Bladabindi


First posted on 20 September 2013.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:MSIL/Bladabindi.

Explanation :

Threat behavior

Installation

Bladabindi variants can be created using the hacker tool known as "NJ Rat", which we detect as HackTool:MSIL/Jaktinier.A and TrojanDropper:MSIL/Habbo.A.

Backdoor:MSIL/Bladabindi copies itself to the following locations:

  • %TEMP% \<variable name>.exe, for example %TEMP%\svhost.exe
  • <startup folder> \<32 random alpha-numeric characters>.exe, for example <startup folder>\5cd8f17f4086744065eb0992a09e05a2.exe


It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
Sets value: "<32 random alpha-numeric characters>" for example, "5cd8f17f4086744065eb0992a09e05a2"
With data: "%TEMP%\<variable name>.exe"

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
Sets value: "<32 random alpha-numeric characters>" for example "5cd8f17f4086744065eb0992a09e05a2"
With data: "%TEMP%\<variable name>.exe"

It also runs net.exe to add itself to the firewall exclusion list and bypass your firewall.

Spreads via...

Removable drives

Some Bladabindi variants copy themselves to the root folder of a removable drive. It creates a shortcut file with the name and folder icon of the drive.

When you click on the shortcut the malware is launched and Windows Explorer is opened. This makes it seems as if nothing malicious happened.

Payload

Steals sensitive information

Backdoor:MSIL/Bladabindi gives a hacker backdoor access to your PC. This means they can steal your sensitive information such as:

  • Your computer name, country and serial number
  • Your Windows user name
  • Your computer's operating system version


The malware can use your PC camera to record and steal your personal information. It checks for camera drivers and installs a DLL plugin so it can record and upload video to a remote hacker.

The trojan can also log your keystrokes. This means a hacker can get access to your user names and passwords. The collected data is saved in %TEMP%\<variable name>.exe.tmp and can then be uploaded to a hacker.

Accepts backdoor commands

Backdoor:MSIL/Bladabindi can also receive the following backdoor commands:

  • Compression for uploading data
  • Download and run of files
  • Exit
  • Load plugins dynamically
  • Ping
  • Registry manipulation
  • Remote shell
  • Restart
  • Screen captures
  • Unistall
  • Update


Connects to remote servers

The trojan can connect to remote servers to download and install updates or other malware. We have seen it connect to:

  • fox2012.no-ip.org
  • jn.redirectme.net
  • reemo.no-ip.biz
  • moudidz.no-ip.org


Avoids detection

Backdoor:MSIL/Bladabindi uses various .NET obfuscators to hide its code.

It also makes itself a critical process to prevent it being terminated. Your system may crash with a stop code 0x000000F4 if the malware process is interrupted. This can make it hard to clean your PC when the malware is running.



Analysis by Steven Zhou and Zhitao Zhou

Symptoms

The following could indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:


In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
Sets value: "<32 random alpha-numeric characters>" for example, "5cd8f17f4086744065eb0992a09e05a2"
With data: "%TEMP%\<variable name>.exe"

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
Sets value: "<32 random alpha-numeric characters>" for example "5cd8f17f4086744065eb0992a09e05a2"
With data: "%TEMP%\<variable name>.exe"

  • Your system may crash with a stop code 0x000000F4 when you try to remove malware from your computer.

Last update 20 September 2013

 

TOP

Malware :