Bandok Keylogger Trojan (Oct 21, 2010)


SonicWALL UTM Research received reports of new backdoor Trojan being spammed in the wild. The trojan arrives via email as an attachment.

If the user downloads and executes the file attachment from the email then it performs the following activities on the victim machine:

  • Process Information:
    • It creates the following processes
      • firefox.exe
      • cfmon_.exe
    • It creates the following mutexes
      • BEN333JDJDJ
      • fHDVQUw
  • Network Activity:
    • It connects to {removed}.com and downloads the following files.
    • screenshot

    • It uploads hardvested information back to the same domain. Here is screenshot of currently harvested user information as seen on the domain indexed by username.
    • screenshot

  • File Activity:

    It creates the following files

    • %windir%system32dreambupl.dll
    • %windir%system32dreambupws.dll
    • %windir%system32dreambupws.dll
    • %windir%system32dreamsqlite3.dll
    • %windir%system32dreamctfmon_.exe – Detected as GAV: Bandok.WG_2 (Trojan)
    • %windir%system32dreamdreamwaver.exe (copy of itself) – Detected as GAV: Bandok.WG (Trojan)
    • %windir%system32dream.bns
    • %windir%system32dreamblogs{DD}_{MM}_{YYYY}.html
    •   This file contains information about open windows and associated keystrokes which is uploaded to the domain. Sample of the file is as below: screenshot

  • Registry Activity:
    • It creates “HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun {VB45O-P98RE-KJL43-NMB4-DFR3T}” with value “%windir%System32dreamdreamwaver.exe” to ensure that it runs on every reboot
  • Information Harvesting:
    • It logs keystrokes for each active application
    • It logs form data from open web sessions
    • It harvests e-mail addresses from address book

SonicWALL Gateway AntiVirus provides protection against this Bandok Trojan with the following signatures
  GAV: Bandok.WG (Trojan)
  GAV: Bandok.WG_2 (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.