Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>DESTOVER</strong> “WINDOWSUPDATETRACING” BACKDOORS, SEPT-OCT 2014<br />
This malware is somewhat different in design than previously mentioned variants. The installer package installs the<br />
backdoor along with legitimate packet filtering components, and there is code to steal credentials from a great deal<br />
of different products, some of which are Korean. One interesting feature with this malware is that it has some<br />
limited support for other languages - it contains some user folder names in ex. Spanish and Portuguese in addition<br />
to English. The name “WindowsUpdateTracing” is derived from a mutex created by this variant – typically this will<br />
be “WindowsUpdateTracing0.5” but the suffixes “0.6” and “0.7” also exist. Chopstring API obfuscation is also<br />
present.<br />
Command integers are in the range 0x58692ab8-0x58692ac0.<br />
This trojan uses a semi-traditional Command and Control model, with connections seemingly going to a number of<br />
DynDNS domains that are defined in an accompanying configuration file named msxml15.xml. This configuration<br />
file is encrypted using RC4; typically with the RC4 key “BAISEO%$2fas9vQsfvx%$” though some samples use the API<br />
name “GetFileAttributesW” as key – possibly a bug.<br />
Known C2 domains:<br />
iphoneserver.lflink.com<br />
dns05.mefound.com<br />
mx1.mefound.com<br />
dns01.vizvaz.com<br />
myserver.mrbonus.com<br />
game.dnsrd.com<br />
dns01.zzux.com<br />
exchange01.toh.info<br />
exchange04.yourtrap.com<br />
However, the DNS resolution for these domains is misleading. The IP address returned by the DNS server will be<br />
XOR’ed with a 32-bit key (we have seen two different keys, depending on variant type), which yields the correct C2<br />
IP address to use. This means that relying on DNS resolution to identify C&C hosts will not work.