PS3 Jailbreak Trojan (Aug 25, 2010)
SonicWALL UTM Research team received reports of a new PS3 Jailbreak Trojan being distributed in the wild. This Trojan is actually a new variant of Trojan Spatet packaged together with a PS3 Jailbreak Tool. This tool purportedly will allow gamers to use their PS3 console without the games original disc. However, users who download this tool get infected by a Trojan Backdoor that steals information from their system.
The release of this Trojan comes after a real PS3 Jailbreak USB Stick has been released and is currently gaining popularity among PS3 gamers.
Arrival & Installation:
This trojan may arrive in the system after being downloaded from the following URL:
- http://www.fol{REMOVED}8e3979fb14
The installer of this Trojan looks like this:
The PS3 Jailbreak tool looks like this:
As the user installs the PS3 Jailbreak tool, it will also install the following:
- %Temp%hahahaha.exe (282 KB) – [ detected as GAV: Rebhip.A (Virus) ]
- %Temp%abc2.exe (563 KB)- [ detected as GAV: Spatet.B (Trojan) ]
- %System%temptempp.exe – [ detected as GAV: Spatet.B (Trojan) ]
It will create Mutex to ensure that only one instance of the application runs in the system:
- {UserName}{Random Number}
(Note: %Temp% is the Temporary Folder, which is usally C:Documents and Settings{User}Local SettingsTemp%System% is the Windows System folder, which is usually C:WindowsSystem32)
Registry Changes:
It adds the following registry entries to ensure that the dropped copy of the malware starts on every system reboot:
- Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun] Value: “Policies”
Data: “”C:WINDOWSsystem32temptempp.exe”” - Key: [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun] Value: “Policies”
Data: “”C:WINDOWSsystem32temptempp.exe”” - Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] Value: “HKCU”
Data: “”C:WINDOWSsystem32temptempp.exe”” - Key: [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun] Value: “HKLM”
Data: “”C:WINDOWSsystem32temptempp.exe””
It adds the following registry entries as part of its installation:
- Key: [HKEY_CURRENT_USERSoftwareps3] Value: “FirstExecution”
Value: “NewGroup”
Value: “NewIdentification”
Anti-Debugging Technique:
This Trojan employs the following Anti-Debugging/Anti-Analysis technique before it proceeds execution:
- Checks if its running inside a Virtual machine
- Checks if its running inside a Debugger
- Checks if its running under the following Automated Analysis Tools:
- Anubis
- CWSandbox
- JoeBox
Information Stealing:
It collects information from the following:
- Stored IE Account Information
- Stored Mozilla Firefox Account Information
- RAS Accounts
- Browser Autocomplete Forms Content
- Windows Live Account Information
- Current User Name
- Computer Name and IP Address
After it collects information, it will send them to a remote server through HTTP protocol.
Command & Control (C&C) Server connection:
It tries to connect to a remote server to receive further instruction and to send collected information:
- ownedbynob{REMOVED}biz:35578
- hackfre{REMOVED}.com
- steamgi{REMOVED}.at
SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:
- GAV: Rebhip.A
- GAV: Rebhip.A_2
- GAV: Spatet.B (Trojan)
