ユーザー向け情報

マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話
24時間体制サポート | テクニカルサポート利用方法

お問い合わせ履歴

電話する

+7 (495) 789-45-86

Profile

BackDoor.Logtu.1

Added to the Dr.Web virus database: 2020-05-21

Virus description added:

Packer: absent

Compilation date:
11.01.2018 12:16:21 (x86 version)

SHA1 hash :

  • 7797107eb4a9a9e4359413c15999603fa27714b3

Description

A multifunctional backdoor trojan for 32-bit and 64-bit Microsoft Windows operating systems. It represents an executable library written in C++. It uses vector classes and strings from the STL library (Standard Template Library). The main function of the trojan is to obtain unauthorized access to infected computers and perform malicious actions at attackers’ commands.

Operating routine

The library contains the following exporting functions:

ServiceMain
mymain

The mymain carries the main functionality of the trojan.

mymain function

When called, this function uses GetTempFileNameW to generate the name of the temporary file with the rar prefix and opens it for writing. This file is used as a journal. Writing to the journal is performed in the following format:

[%d-%02d-%02d %02d:%02d:%02d] %d %d\n%s\n\n" => "[YYYY-MM-DD HH:MM:SS] <rec_id>
<error_code>\n<record>\n\n

where:

  • rec_id — is a record type ID;
  • error_code — error code (in most cases, it has a 0) value; if an error occurs during execution, the GetLastError() or WSAGetLastError() value is written;
  • record — additional data.

Before it is added to the journal, the written data is encoded with the XOR operation, using the 0x31 byte. The rec_id table of ID values is listed at the end of this description.

Next, the trojan collects the following information about the infected system:

 
struct sysinfo
{
DWORD dword_0;
DWORD is_VMWare;
WCHAR str_test[8]; //возможно ID
DWORD dword_1;
BYTE user_name[64];
BYTE gap_0[64];
WCHAR host_IP[20];
DWORD osver_Major;
DWORD osver_Minor;
DWORD uiANSI_CP;
DWORD uiOEM_CP;
WCHAR host_name[15];
BYTE gap_1[98];
BYTE user_SID[128]; //string SID
DWORD osver_ProductType;
BYTE is_Wow64process;
BYTE mac_address[12];
BYTE gap_2[3];
DWORD number_of_processors;
DWORD total_phys_mem_MBytes;
};

It then checks that the library runs inside the VMWare virtual machine environment. If it detects a virtual machine, the corresponding information is added to the collected system data, while the trojan continues to run.

BackDoor.Logtu.1 #drweb

There is a list of several C&C server addresses encoded inside the source code of the BackDoor.Logtu.1. They are encrypted with the XOR, using the 0x11 byte. However, only the first address from that list is used to control the backdoor. See this list below:

104.194.215[.]199;
192.168.1[.]115;
www.test[.]com.

Moreover, the trojan stores an array of ports within which each element corresponds to one of the servers above:

443, 443, 80

BackDoor.Logtu.1 has an option to use a proxy server, but the analyzed sample lacks such an address. If the proxy server address is present, it is also encoded byte by byte with the XOR operation, using the 0x11 byte.

After the initial preparation, the trojan launches the cycle of connections to the C&C server through the TCP socket. Within the first connection, BackDoor.Logtu.1 tries to directly connect to the server. If it fails, it uses an HTTP proxy server if its address is encoded into the body of the trojan. If it wasn’t successful, the trojan extracts the proxy server parameters from the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer registry key and tries to establish the connection. . In case of another failure, the backdoor tries to obtain the proxy server information through the WinHTTP API, sending the google[.]com request via the WinHttpGetProxyForUrl function. If this attempt has also failed, BackDoor.Logtu.1 tries to extract the corresponding settings from the HKU\<session_user_SID>\...\ProxyServer registry key. . This cycle repeats until the trojan is successfully connected to the server.

After successfully connecting, BackDoor.Logtu.1 sends the information about the infected system to the server. The data transfer and response receipt is divided into two stages:

  • sending the packet with the length of the payload;
  • sending the payload itself.

The value of the packet with the length of 4 bytes equals <payload_len>+4. This is because the packet with the payload contains a 4 bytes prefix, which in turn, contains the payload ID. Consequently, the payload has the format as shown below:

struct payload
{
DWORD payload_id;
BYTE payload[payload_len];
}

The data transferred from the trojan to the server, as well as its response, are encrypted with the RC4 algorithm. The encryption key is stored inside the trojan body as a separate string, but calculates using the following algorithm:

from hashlib import md5
password = "123456"
salt = md5("").hexdigest()
key = md5(password + salt).hexdigest()

The ID of the packet with the system information has a value of 0.

BackDoor.Logtu.1 #drweb

After the system information is sent and the trojan receives the response from the server, it launches a thread that sends heartbeats every minute. Their ID has a value of 1 and the payload length has a value of 0. After 10 packets are sent, the server connection closes and reestablishes again.

The backdoor waits for the server reply with the packet with the length value that should not exceed 0x1F40. Next, it waits for the packet itself, which contains the command as a payload. After this packet is decrypted, it checks the value of the first DWORD, which is the command ID. The ID value should not exceed 0x34.

In some cases, the command contains additional parameters presented in the form of the strings split with the | symbol. The structure of this command has the form of the "param_0"|"param_1"|...|"param_n".

The list of commands that the trojan can receive and execute is shown in the table below:

Command ID Command description
0x00 NOP
0x01 Calls GetTickCount(), writes the result into the global variable.
0x02 In this command, two parameters separated with the | symbol, are received: The first one is the path to the file. The trojan uses it to form two new paths:
  • <param_0>.tu;
  • <param_0>.tut.

Next, the trojan checks if the file with the original name, specified in the command, exists. If it exists, the trojan sends the response <param_1>|01 to the server. If it does not exist, it checks if the <param_0>.tu is present. If this file exists, the trojan sends its size as a <param_1>|<size>. If the <param_0>.tu file does not exist, the trojan creates the file <param_0>tut, writes the string, which consists of 32 zeros, into it and deletes the file.

Depending on the command execution results, the trojan can send various types of responses to the server. In cases of failure at any given step of the command execution, the trojan sends <param_1>|<code>, where code can have a value from 01 to 05.

0x03 Creates an application process with the <param_0> name and <param_1> command line parameters.
0x04 Runs a separate thread that lists the processes and sends the information about them to the C&C server one by one. Before the listing, the packet with the 0x17 ID and a DWORD 0x47 payload is sent to the server. It is sent as follows:
        struct process_info
        {
        WCHAR proc_name[30];
        DWORD PID;
        DWORD parent_PID;
        WCHAR self_module_path[260]
        }
        

Herewith, self_module_path is only sent when the process is running in the WOW64 environment. Otherwise, this string is filled with 0 values.

0x05 Launches the cmd.exe thread. It creates the cmd.exe process with the input-output redirection into the pipes. After the process is created, it sends a packet with the 0x17 ID and a 0x3D payload in case of a successful connection, or 0x3E in case of a failure. Herewith, the trojan receives the input parameters of the command line from the message using the GetMessage function. The results are sent with the 0x06 ID.
0x06 Input of the parameters for the cmd.exe. Using PostThreadMessage, it sends the message 0x464 to the cmd.exe thread and puts the data from the command into lParam.
0x08 Ends the connection, sending a packet with the 0x17 packet ID and a DWORD 0x3E payload prior, then deletes its service and executable file.
0x09 Opens the file for writing from the end and writes the buffer received in the command into it. Command’s parameters:
  • param_0 — name of the file;
  • param_1 — unknown value;
  • param_2 — buffer size;
  • param_3 — special flag; if it equals 1, then the file must be moved;
  • param_4 — a buffer for a writing.

It adds a param_0 extension to .tu, opens (or creates) the resulting file for writing, places the pointer to the end of the file and writes a param_4 buffer. If param_3 equals 1, then it deletes the param_0 file and renames the file <param_0>.tu into param_0.

0x14 Gets the size of the file specified in the command.
0x15 Reads the 0x1000 bytes from the param_0 file, starting with param_2, and sends the results with the 0x15 ID to the server.
0x16 Deletes the specified file. If successful, it sends a packet with the 0x17 ID and a DWORD 0x1F payload to the server; in case of an error, a packet with the 0x20 ID is sent instead.
0x17 If the first DWORD of the command’s body equals 1, the trojan goes to sleep for 1 second; if it equals 2 the trojan closes the file handle.
0x18 Ends the process with PID specified in the command. In return, the C&C server sends the packet with the 0x17 ID. If successful, DWORD 0x0B is sent along with this ID. If failed, 0x0C will be sent.
0x19 Gets information about disks. Upon receiving this command, the trojan checks all the disks available from the letter A to the Z and sends information about each of them to the C&C server.

The disk information is sent as a the following structure:


          struct disk_info
          {
          DWORD root_path;
          DWORD dword_0;
          DWORD type;
          DWORD dword_1;
          DWORD cdrom_or_removable;
          }
        

Herewith, if the disk found has a DRIVE_REMOVABLE type or a DRIVE_CDROM type, the trojan indicates the value 1 in the cdrom_or_removable parameter.

Prior to listing the disks, the trojan sends the disk_info structure with the dword_1 value, which equals 1, as well as other parameters, which are equal to 0.

0x20 Gets the file list in the specified folder. The list is formed as lines of the <file_name>;<file_size>;<last_write_time(YYYY-MM-DD hh:mm:ss)>;<is_dir> format, which are separated by the | symbol.

If the object represents the directory, the <is_dir> value is indicated as 1; if the object represents a file, the 0 value is indicated.

0x22 Creates the TCP tunnel. This command has the host parameters to connect to. The parameters come as the following structure:

        struct tunnel_host
        {
        WORD index;
        char hostname[66];
        DWORD port;
        }
        

Where index is the tunnel index.

After connecting to the host, the trojan receives a block with the size of 0x400 bytes and sends it to the C&C server as the following structure:


        struct tunnel_data
        {
        WORD index;
        char buffer[];
        }
        

After the last block is sent, the trojan sends the index with the 0x24 ID.

0x23 Sends the data to the tunnel. The C&C server sends the structure tunnel_data, and the trojan sends the data into the tunnel with the tunnel_data.index index.
0x24 This command contains tunnel index that needs to be closed.
0x25 This command contains the structure tunnel_host. The trojan creates a TCP socket, binds the port to tunnel_host.port, and awaits for the incoming connection.

Upon receiving the incoming connection, the trojan sends a zero-length packet without a payload and 0x25 to the C&C server. After that, it receives the data from the new connection, along with the 0x26 ID and sends them to the C&C server.

0x26 The command contains a tunnel_data structure. Upon receiving this command, the trojan sends the data to the connection it received in the 0x25 command.
0x28 Ends the thread sending the heartbeats.
0x29 Moves the file from param_0 to the param_1.
0x31 Creates a desktop screenshot.
0x33 Gets the list of running services as strings <service_name>;<service_display_name>;<current_state>, separated with the | symbol.
0x34 Services management command.

If param_0 has a 0 value, the trojan stops the param_1 service;

If param_0 has a 1 value, the trojan launches the param_1 service.

Upon receiving the command with the 0x17 ID, the trojan closes the file handler, which is stored in the global variable. This file is used only twice: once upon receiving the command, specified earlier, and once in the journal writing function.

File handler closing:

BackDoor.Logtu.1 #drweb

Writing to the journal (logging):

BackDoor.Logtu.1 #drweb

Table of the identifiers of the log entries types

rec_id identifier Error code Log entry type Description
0x01 0 No entry Written at the beginning of the execution.
0x0E 0 The name of the C&C server
0x0F WSAGetLastError() No entry Added upon C&C server connection error.
0x07 0 Proxy server name
0x08 0 No entry Added before connecting to the proxy server.
0x09 GetLastError() No entry Added upon proxy server connection failure.
0x0A 0 CONNECT <proxy_addr>:<proxy_port> HTTP/1.1\r\nProxy-Authorization: Basic <proxy_auth>\r\n\r\n

or

CONNECT <proxy_addr>:<proxy_port> HTTP/1.1\r\n\r\n, if proxy server authorization parameters are missing
HTTP-proxy connection string.
0x0B GetLastError() No entry Added if there is a proxy server connection error.
0x0C GetLastError() No entry Added upon receiving an empty reply from a proxy server.
0x0D 0 Proxy server response Added upon successfully connecting to the proxy server.
0x05 GetLastError() No entry Added when a HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings registry key opening failed.
0x06 0 A not find proxy address string which is encoded inside the body of the trojan. Added if ProxyServer registry parameter value receiving failed.
0x03 0 No entry Added when a system information packet is sent through the proxy server, whose address is encoded inside the trojan body.
0x04 0
1
2
No entry
No entry
No entry
Added when system information is sent through the proxy server: from the registry section HKCU;
received using WinHTTP API;
from the HKU\<session_user_SID> registry section
0x02 0 No entry Added when system information is sent directly to the server.
0 No entry Added after system information is sent to the server and before a thread with heartbeats is launched

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

ロシアに本社を置く、『Dr.Webアンチウイルスソフトウェア』のデベロッパーです。
1992年に製品の開発をスタートしました。
Dr.Webは世界200ヶ国以上のユーザーに利用されています。
2007 年、アンチウウイルスサービス(SaaS)の提供が開始しました。
24時間体制サポート

Dr.Web © Doctor Web
2003 — 2021

Doctor Webは、ロシアに本社を置く、『Dr.Webアンチウイルスソフトウェア』のデベロッパーです。その製品の開発は1992年に始まりました。

株式会社Doctor Web Pacific 〒105-0003 東京都港区西新橋1-14-10 西新橋スタービル 2F