|
Description:
To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
Malware Overview
This backdoor performs its routine by generating a URL to resolve. It uses the hostent structure to do the said generating. The hostent structure is a Windows feature that stores information about a host, such as host name and IP address. Using this feature is normal for programs that access networks.
It accesses the hostent to check if its author or another application is trying to communicate with it. Once it confirms this, it then waits for commands from this said third party.
Note that it attempts to hide its communication with the the other component (or its author) by using the DNS protocol. This technique relies on the two components (this backdoor and the third party) querying a particular DNS server for the same domain and then checking server's reply (via the hostent structure). Thus, components can communicate with each other through the state change introduced by their query.
It generates URLs through strings from lists encoded and encrypted within its body. This backdoor also encrypts this generated URL after use to prevent easy detection. The routine detailed above can compromise system security.
Note, however, that these observations are based on static analysis as no malicious interaction with the network has been seen after running this backdoor on the test environment for two days.
For additional information about this threat, see:
Solution
Technical Details
Description created: Jul. 8, 2007 11:58:32 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
