Content

Backdoor-DZG.dll

Type
Trojan
SubType
HTTP/FTP Trans.
Discovery Date
07/01/2009
Length
Varies
Minimum DAT
5664 (07/02/2009)
Updated DAT
5664 (07/02/2009)
Minimum Engine
5.3.00
Description Added
07/01/2009
Description Modified
07/01/2009 8:48 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

Backdoor-DZG.dll is dropped into software installation folder of any of the following FTP capable applications:

  • FTP Voyager(RhinoSoft.com)
  • AceFTP 3 (Visicom Media)
  • Auto FTP Manager 4
  • Whisper Technology\FTP Surfer
  • FTP Desktop
  • WS_FTP 12(Ipswitch)
  • LeechFTP
  • FlashFXP
  • GoFTP
  • FileZilla FTP Client
  • CoreFTP
  • FTP Commander
  • CuteFTP
  • SmartFTP Client
  • WinSCP
  • Total Commander
  • FTP Explorer
  • Mozilla Firefox
  • Internet Explorer
  • Opera
  • K-Meleon
  • FineBrowser
  • TurboFTP
  • NetSurf
  • SlimBrowser
  • Avant Browser
  • SphereXPlorer
  • Navigator 9
  • SEAGULL
  • Acoo Browser
  • Safari
  • Fast Browser
  • EmFTP
  • FTP Now
  • Far

The DLLs usually have the following names, which are the same file names as MS DLLs found in the %System% folder.

  • ntshrui.dll
  • rasadhlp.dll

 The file names have been selected intentionally based off legit Microsoft DLL files found in the %System% folder. The listed software applications, utilize the original Microsoft files during their operation. By placing these files in the installation folder of these applications with MS file names, the malware forces such application to use illegitimate Dll files.

The DLL when loaded, checks for internet connectivity by querying yahoo.com and google.com.When successful, it attempts to connect to the following domain from where it receives encrypted url information in the form of an "iframe" which is used to download other files at a later point in time.

  • goooodbill.cn

It then connects to the following domain from where it recieves FTP account credential related information as username:password@ftpsite.

  • vividns.net

The credentials served, appear to be stolen user information. A different credential is received on every seperate query via a php script.

The trojan uses the supplied credentials to set up a FTP session with the FTP server. On successful login, it enumerates all files on the server and injects a decrypted version of the "iframe" into web content related files such as HTML files.

During our testing the encrpted "iframe" decrypted to the following URL

  • tnx.name

Symptoms

Prescence of the above mentioned DLL files in the software installation paths of the listed applications

Method of Infection

Dropped by Backdoor-DZG.dr

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

-- Update July 1, 2009 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/06/26/ftp_malware_hack/

--

This detection is for DLL components dropped by Backdoor-DZG.dr.

Characteristics

Characteristics -

Backdoor-DZG.dll is dropped into software installation folder of any of the following FTP capable applications:

  • FTP Voyager(RhinoSoft.com)
  • AceFTP 3 (Visicom Media)
  • Auto FTP Manager 4
  • Whisper Technology\FTP Surfer
  • FTP Desktop
  • WS_FTP 12(Ipswitch)
  • LeechFTP
  • FlashFXP
  • GoFTP
  • FileZilla FTP Client
  • CoreFTP
  • FTP Commander
  • CuteFTP
  • SmartFTP Client
  • WinSCP
  • Total Commander
  • FTP Explorer
  • Mozilla Firefox
  • Internet Explorer
  • Opera
  • K-Meleon
  • FineBrowser
  • TurboFTP
  • NetSurf
  • SlimBrowser
  • Avant Browser
  • SphereXPlorer
  • Navigator 9
  • SEAGULL
  • Acoo Browser
  • Safari
  • Fast Browser
  • EmFTP
  • FTP Now
  • Far

The DLLs usually have the following names, which are the same file names as MS DLLs found in the %System% folder.

  • ntshrui.dll
  • rasadhlp.dll

 The file names have been selected intentionally based off legit Microsoft DLL files found in the %System% folder. The listed software applications, utilize the original Microsoft files during their operation. By placing these files in the installation folder of these applications with MS file names, the malware forces such application to use illegitimate Dll files.

The DLL when loaded, checks for internet connectivity by querying yahoo.com and google.com.When successful, it attempts to connect to the following domain from where it receives encrypted url information in the form of an "iframe" which is used to download other files at a later point in time.

  • goooodbill.cn

It then connects to the following domain from where it recieves FTP account credential related information as username:password@ftpsite.

  • vividns.net

The credentials served, appear to be stolen user information. A different credential is received on every seperate query via a php script.

The trojan uses the supplied credentials to set up a FTP session with the FTP server. On successful login, it enumerates all files on the server and injects a decrypted version of the "iframe" into web content related files such as HTML files.

During our testing the encrpted "iframe" decrypted to the following URL

  • tnx.name

Symptoms

Symptoms -

Prescence of the above mentioned DLL files in the software installation paths of the listed applications

Method of Infection

Method of Infection -

Dropped by Backdoor-DZG.dr

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A