Drive-by download leads to Backdoor Trojan (May 11, 2011)
SonicWALL UTM Research team discovered instances of malicious java applets being used to perform drive-by download of malware. The malware is downloaded and excuted without any user interaction once the applet executes. The downloaded malware was found reporting system information back to a remote server and it also creates a backdoor on the victim’s machine. When a user visits a malicious domain hosting the applet it runs as seen below:
The applet is unsigned and prompts for the user’s permission to run. If the user proceeds and runs the applet it downloads a file silently and executes it. The downloaded executable performs the following activities:
- It creates the following copies of the same file:
- %appdata%DocumentWriter.exe [Detected as GAV: VB.SGQ (Trojan)]
- %temp%privzate.exe [Detected as GAV: VB.SGQ (Trojan)]
- %temp%6858.jpg [Detected as GAV: VB.SGQ (Trojan)]
- %temp%51156.jpg [Detected as GAV: VB.SGQ (Trojan)]
- It creates the following registry entry to ensure that it runs on every system reboot:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun:”%appdata%DocumentWriter.exe”
- It determines the public IP address by performing the following HTTP request to api.ipinfodb.com
- GET /v2/ip_query_country.php?key=1d1bb511aed00402daada8d8706f74b477e3172d0ca020deab3b43c16441a73d&timezone=off
- It creates a backdoor listening on TCP port 1232
- It sends information back to a remote server such as version, infection date, IP address, OS information and screenshots
SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:
GAV: ClsDLod.A ( Trojan )
GAV: ClsDLod.A_2 ( Trojan )
GAV: VB.SGQ (Trojan)
