Content

Roarur.dll

Type
Trojan
SubType
Remote Access
Discovery Date
01/14/2010
Length
Varies
Minimum DAT
5862 (01/15/2010)
Updated DAT
5997 (05/29/2010)
Minimum Engine
5.4.00
Description Added
01/14/2010
Description Modified
01/19/2010 1:33 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Update Jan. 19, 2010 --

After in depth analysis of updated samples of Roarur.DLL, the following information regarding the backdoor capabilities was uncovered:

The following filenames were seen for DLLs associated with this detection:

  • Rasmon.dll
  • Securmon.dll
  • A0029670.dll
  • Acelpvc.dll
  • AppMgmt.dll

The file acelpvc.dll was identified as malicious, loaded by rasmon.dll to connect to any arbitrary IP:PORT chosen by the attacker. It imports VedioDriver.dll to allow it to monitor keyboard and mouse usage.

The samples above connect to one of the following domains:

  • 360.home[removed].com
  • sl1.home[removed].org
  • blog1.serve[removed].com
  • google.home[removed].com
  • ftp2.home[removed].com
  • update.our[removed].com

The malware connect to port 443 but the communication protocol is not SSL. It is a custom encrypted protocol.

When installed on the system, the backdoor has full control of the system. These are some of the capabilities identified:

  • Adjust process privileges, terminate processes
  • Control services
  • Remote file execution
  • Registry manipulation
  • File system manipulation (search, remove, copy)
  • System manipulation (turn system off, reboot, clean events)
  • Call other components, inter process communication
  • Network.ics manipulation

-- --

This Trojan is stage III of Operation Aurora, for more information on Operation Aurora, see:

  • Exploit-Comele - Operation Aurora (stage I - initial exploit)
  • Roarur.dr - Operation Aurora (stage II - downloaded malware)

 

When executed this trojan creates a service on the victim's computer and modifies the following registry keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS [% random 4 chars %]
    • "ImagePath" = %SystemDir%\svchost.exe -k netsvcs
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS [% random 4 chars %]
    • "Start"= 02, 00, 00, 00
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS [% random 4 chars %] \Parameters
    • "ServiceDll" = %SystemDir%\rasmon.dll

Different variants have been observed using different file names, services names and dll locations. For example:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters 
    • ServiceDll = "C:\Documents and Settings\[username]\AppMgmt.dll" 

The DLL (RASMON.DLL)  is injected into the SVCHOST.EXE and performs the following functions:

  • Checks to see if the following files are present on the system:
  • acelpvc.dll (presence of this file does not necessarily imply an infection )
  • VedioDriver.dll (presence of this file does not necessarily imply an infection )

Connection to the following remote server is made (new variants have been captured that connect to different servers):

  • 360.home[removed].com
  •  update.ou[removed]y.com

The trojan accepts commands from the controlling host. Different variants have different capabilities including:

  • Escalate process priviledges.
  • Shutdown or reboot the system.
  • Execute commands via cmd.exe.
  • Download additional components.
  • Modify the system registry.
  • List local resources (Drives, services etc.)
  • Modify the local filesystem.
  • execute mdm.exe.
  • Self update.

The backdoor gathers the following information from the victim’s machine and sends it back to the server:

  • Content of HARDWARE\DESCRIPTION\System\CentralProcessor\MHz registry key
  • Service pack name
  • Machine name
  • OS Version

Informations are stored in an encrypted file in windows/system32/drivers/etc/networks.ics file.

For more details on the communication protocol, see:

McAfee Labs Blog: An Insight into the Aurora Communication Protocol

Symptoms

  • Presence of above mentioned activities.
  • Presence of above mentioned files.

    • Method of Infection

    This threat is dropped by Roarur.dr

    Removal

    All Users:
    Use specified engine and DAT files for detection and removal.

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This trojan is dropped by  the Roarur.dr trojan.

    It creates an additional Service on the victims computer and checks for the presence of certain files on the system.

    Aliases:

    • Operation Aurora

    Aliases

    • APPL/Remote.RealVNC.94 (Avira)
    • Backdoor.Mdmbot.A (VirusBuster)
    • Backdoor.Mdmbot.B (VirusBuster)
    • Backdoor:Win32/Mdmbot.A (Microfoft)
    • Backdoor:Win32/Mdmbot.B (Microsoft)
    • Backdoor:Win32/Mdmbot.C (Microfoft)
    • Backdoor:Win32/Mdmbot.D (Microfoft)
    • Trj/Roarur.A (Panda)
    • Troj/Spy-EY (Sophos)
    • TROJ_HYDRAQ.G (Trend Micro)
    • TROJ_HYDRAQ.SMA (Trend Micro)
    • Trojan.Hydraq (Symantec)
    • Trojan.Hydraq!gen1 (Symantec)
    • W32/Genome.EPOX!tr (Fortinet)
    • W32/Hydraq.K!tr (Fortinet)
    • Win32:Roarur [Trj] (Avast)

    Characteristics

    Characteristics -

    -- Update Jan. 19, 2010 --

    After in depth analysis of updated samples of Roarur.DLL, the following information regarding the backdoor capabilities was uncovered:

    The following filenames were seen for DLLs associated with this detection:

    • Rasmon.dll
    • Securmon.dll
    • A0029670.dll
    • Acelpvc.dll
    • AppMgmt.dll

    The file acelpvc.dll was identified as malicious, loaded by rasmon.dll to connect to any arbitrary IP:PORT chosen by the attacker. It imports VedioDriver.dll to allow it to monitor keyboard and mouse usage.

    The samples above connect to one of the following domains:

    • 360.home[removed].com
    • sl1.home[removed].org
    • blog1.serve[removed].com
    • google.home[removed].com
    • ftp2.home[removed].com
    • update.our[removed].com

    The malware connect to port 443 but the communication protocol is not SSL. It is a custom encrypted protocol.

    When installed on the system, the backdoor has full control of the system. These are some of the capabilities identified:

    • Adjust process privileges, terminate processes
    • Control services
    • Remote file execution
    • Registry manipulation
    • File system manipulation (search, remove, copy)
    • System manipulation (turn system off, reboot, clean events)
    • Call other components, inter process communication
    • Network.ics manipulation

    -- --

    This Trojan is stage III of Operation Aurora, for more information on Operation Aurora, see:

    • Exploit-Comele - Operation Aurora (stage I - initial exploit)
    • Roarur.dr - Operation Aurora (stage II - downloaded malware)

     

    When executed this trojan creates a service on the victim's computer and modifies the following registry keys:

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS [% random 4 chars %]
      • "ImagePath" = %SystemDir%\svchost.exe -k netsvcs
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS [% random 4 chars %]
      • "Start"= 02, 00, 00, 00
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS [% random 4 chars %] \Parameters
      • "ServiceDll" = %SystemDir%\rasmon.dll

    Different variants have been observed using different file names, services names and dll locations. For example:

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters 
      • ServiceDll = "C:\Documents and Settings\[username]\AppMgmt.dll" 

    The DLL (RASMON.DLL)  is injected into the SVCHOST.EXE and performs the following functions:

    • Checks to see if the following files are present on the system:
    • acelpvc.dll (presence of this file does not necessarily imply an infection )
    • VedioDriver.dll (presence of this file does not necessarily imply an infection )

    Connection to the following remote server is made (new variants have been captured that connect to different servers):

    • 360.home[removed].com
    •  update.ou[removed]y.com

    The trojan accepts commands from the controlling host. Different variants have different capabilities including:

    • Escalate process priviledges.
    • Shutdown or reboot the system.
    • Execute commands via cmd.exe.
    • Download additional components.
    • Modify the system registry.
    • List local resources (Drives, services etc.)
    • Modify the local filesystem.
    • execute mdm.exe.
    • Self update.

    The backdoor gathers the following information from the victim’s machine and sends it back to the server:

    • Content of HARDWARE\DESCRIPTION\System\CentralProcessor\MHz registry key
    • Service pack name
    • Machine name
    • OS Version

    Informations are stored in an encrypted file in windows/system32/drivers/etc/networks.ics file.

    For more details on the communication protocol, see:

    McAfee Labs Blog: An Insight into the Aurora Communication Protocol

    Symptoms

    Symptoms -

  • Presence of above mentioned activities.
  • Presence of above mentioned files.

    • Method of Infection

    Method of Infection -

    This threat is dropped by Roarur.dr

    Removal -

    Removal -

    All Users:
    Use specified engine and DAT files for detection and removal.

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A