マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Trojan.Rbrute

Added to the Dr.Web virus database: 2014-02-26

Virus description added:

A Trojan designed to brute-force Wi-Fi router access passwords and distributed via a P2P network consisting of computers infected with Win32.Sector.

Communication with the server

Communication protocol is binary and has a simple structure. Messages have the following header:

struct thead{
  DWORD crc32;
  WORD size;
};

A message that comes after the header is encrypted using RC4 with the key as follows:

001ls\r\n%2.2u\r\n

The Trojan also adds a string, whose length is randomly chosen (3–20), to the size of the message (thead.size).

Then the bot sends the server requests that look as follows:

struct OP_01_REQ{
    BYTE op; //0x01
    BYTE rnd[3];
};
thead head;
OP_01_REQ op_01;

In reply, it receives the following commands:

Scan the specified range of IP addresses

The reply to this command looks as follows:

struct OP_01{
  BYTE op; //0x01
  DWORD addr; //start address
  BYTE count; //number of addresses to scan
};

The bot launches a circular scan and sends GET requests to addresses from the specified range. The requests look as follows:

http://%s/

In the reply, it looks for the following tag:

realm=\"

Using this tag, the Trojan identifies the router model.

The Trojan can crack passwords for the following router models:

DSL-2520U
DSL-2600U
DSL router
TD-W8901G
TD-W8901G 3.0
TD-W8901GB
TD-W8951ND
TD-W8961ND
TD-8840T
TD-8840T 2.0
TD-W8961ND
TD-8816
TD-8817 2.0
TD-8817
TD-W8151N
TD-W8101G
ZXDSL 831CII
echolife
level
TP-LINK
ZXV10 W300

If the tag contains a name from this list, the bot sends the server a report that looks as follows:

struct OP_02_REQ{
  BYTE op; //0x02
  DWORD addr;
  WORD rnd;
};

Crack password and change DNS

The Trojan receives the following command:

struct ITEM{
    DWORD addr; //router address
    BYTE len;
    BYTE password[len];
};
 
struct OP_02{
    BYTE op; //0x02
    DWORD dns; //dns address
    DWORD count; //number of passwords
    ITEM list[count]; //list of passwords
};

Then the Trojan goes through the passwords. As a login, Trojan.Rbrute uses the following values:

admin
support

First, the Trojan identifies the router model. After that, depending on the model, the malicious program sends POST or GET requests to corresponding scripts.

If the authorization attempt succeeds, the bot sends requests to change the device's DNS addresses. The first address is retrieved from the ns1=OP_02.dns request; the Google address (ns2=8.8.8.8) is used as the second one.

Then the Trojan reports that the password has been cracked.

BYTE op;
BYTE str[];

The str parameter has the following format:

url:login:password:type

The following command and control server address is hard coded in the Trojan's body:

142.4.213.220:48919

Operating routine

The Trojan is used to distribute Win32.Sector.

  1. To the compromised computer already infected with Win32.Sector, the malicious program downloads Trojan.Rbrute.
  2. Trojan.Rbrute receives a password dictionary and a command to search for Wi-Fi routers from the command and control server.
  3. If the search attempt is successful, Trojan.Rbrute modifies the router's DNS server settings.
  4. When another “healthy” machine tries to connect to the Internet through the compromised router, the user is redirected to a specially generated webpage.

  5. From this page, Win32.Sector is downloaded to the computer, and the infection process begins.
  6. Subsequently, Win32.Sector can download a copy of Trojan.Rbrute to the infected computer. The cycle is repeated.

The following example shows how connection to google.com is established:

nslookup google.com xx.xx.xxx.186
Server: xx.xx.xxx.186
Address: xx.xx.xxx.186#53
Non-authoritative answer:
Name: google.com
Address: xxx.xxx.xxx.92

Password dictionaries and configuration data look as follows:

0012EC72  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0012EC82  00 00 00 00 00 00 00 00  00 00 07 D5 E1 BB 6F 00  ...........-с¬o.
0012EC92  02 7A A8 87 E3 08 00 00  00 02 BF 79 F7 05 61 64  .zиЗу.....¬yў.ad
0012ECA2  6D 69 6E D2 38 78 F7 05  61 64 6D 69 6E 7A A9 87  minT8xў.adminzйЗ
0012ECB2  F7 06 64 72 61 67 6F 6E  BB 95 7D F7 06 6D 6F 6E  ў.dragon¬Х}ў.mon
0012ECC2  6B 65 79 02 B1 78 F7 06  61 62 63 31 32 33 D0 56  key.-xў.abc123¦V
0012ECD2  67 F7 06 64 72 61 67 6F  6E 7D A0 65 F7 08 74 72  gў.dragon}аeў.tr
0012ECE2  75 73 74 6E 6F 31 59 60  86 F7 08 70 61 73 73 77  ustno1Y`Жў.passw
0012ECF2  6F 72 64 00 00 00 00 00  00 00 00 00 00 00 00 00  ord.............
 
 
0012EC82  00 00 00 00 00 00 00 00  00 00 96 34 79 32 61 00  ..........Ц4y2a.
0012EC92  02 1F 1C 67 BA 06 00 00  00 BB AC 20 F8 07 67 69  ...g¦....¬м °.gi
0012ECA2  7A 6D 6F 64 6F 24 47 0A  F8 06 64 72 61 67 6F 6E  zmodo$G.°.dragon
0012ECB2  BB CC 09 F8 06 64 72 61  67 6F 6E 4F 00 11 F8 08  ¬¦.°.dragonO..°.
0012ECC2  70 61 73 73 77 6F 72 64  29 20 11 F8 06 31 32 33  password) .°.123
0012ECD2  34 35 36 59 BA 1C F8 07  67 69 7A 6D 6F 64 6F 00  456Y¦.°.gizmodo.
0012ECE2  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0012ECF2  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
 
 
0012EC82  00 00 00 00 00 00 00 00  00 00 E8 EA FD EE 38 00  ..........шъ¤ю8.
0012EC92  02 1F 1C 67 BA 02 00 00  00 BD F5 30 F8 06 31 32  ...g¦....-ї0°.12
0012ECA2  33 34 35 36 4F 81 3D F8  0D 41 64 6D 69 6E 69 73  3456OБ=°.Adminis
0012ECB2  74 72 61 74 6F 72 00 00  00 00 00 00 00 00 00 00  trator..........
 
 
0012EC82  00 00 00 00 00 00 00 00  00 00 5E 20 C1 C7 95 00  ..........^ +¦Х.
0012EC92  02 7A A8 87 E3 0A 00 00  00 BB 89 53 F8 08 6C 69  .zиЗу....¬ЙS°.li
0012ECA2  66 65 68 61 63 6B 3C F2  6F F8 07 73 75 70 70 6F  fehack<Єo°.suppo
0012ECB2  72 74 24 49 64 F8 05 61  64 6D 69 6E 7B 1C 56 F8  rt$Id°.admin{.V°
0012ECC2  0E 73 6F 70 6F 72 74 65  45 54 42 32 30 30 36 B4  .soporteETB2006+
0012ECD2  FB 53 F8 07 67 69 7A 6D  6F 64 6F 71 A7 66 F8 06  vS°.gizmodoqзf°.
0012ECE2  61 62 63 31 32 33 24 4C  60 F8 08 70 61 73 73 77  abc123$L`°.passw
0012ECF2  6F 72 64 75 C3 54 F8 04  72 6F 6F 74 5D 5A 57 F8  ordu+T°.root]ZW°
0012ED02  04 72 6F 6F 74 1F 09 53  F8 05 61 64 6D 69 6E 00  .root..S°.admin.
0012ED12  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................

News about this threat

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android