• SecureWorks Research
• Counter Threat Unit^SM
• Threat Analyses
• Research Blog
• Newsletter
• Webcasts
• Security Tools
• Articles
• Security

• Home
• Research
• Threat Analyses
• Akak Trojan Analysis

Akak Trojan Analysis

• URL: http://www.secureworks.com/research/threats/akak
• Date: August 31, 2004
• Author: Joe Stewart

SecureWorks' security research team has discovered a new backdoor/proxy trojan using the (currently unpatched) IE drag-n-drop vulnerability to spread. As it appears to be a currently unknown first variant of a potential family of trojans, we have tentatively named this new threat "Akak".

The exploit code was detected on a Chinese webserver located at 202.104.242.156, with a hostname of "prezer.biz". The same server listens on port 4321 for incoming connections from infected hosts, and acts as a master control server.

File Information

Download Filename: testexe.exe
Install Filename: rb.exe

"A" Variant:

Size: 8,192 bytes
MD5: b65cc7eecfae7b12d36a703623c07b56
PE Timestamp: Sat Aug 28 17:13:07 2004

"B" Variant:

Size: 8,704 bytes
MD5: 1624adca325ff8f79048e2a81f8c0381
PE Timestamp: Mon Aug 30 19:44:05 2004

Functionality

• Creates a mutex "J&^srl!hsl^AHSgh". If the mutex exists (indicating another copy of the trojan is in memory) the trojan exits.
• Calls RegisterServiceProcess to ensure the process continues running after the current user logs off
• Copies itself to %sysdir% as "rb.exe"
• Sets the following registry entry to load at boot:

        HKLM\Software\Microsoft\Windows\CurrentVersion\Run
                RamBooster2 => "%sysdir%\rb.exe"

• Calls "net stop SharedAccess" to disable the Internet Connection Firewall (ICF) if running
• Attempts to download information from the master control server on port 4321 and stores it in %sysdir%\lhosts.txt
• Creates a Socks4/5 proxy listener on port 5555
• Creates a backdoor listener on port 4321 which can:
• Report system information
• Download and execute additional programs
• Uninstall the trojan

The master server list appears to be able to be updated via the backdoor protocol, allowing the trojan network operator to maintain control even if the initialmaster server is taken down.

If the %sysdir%\lhosts.txt file is unable to be created, the trojan will use a default filename of kaka2.txt in the current working directory.

Manual Removal

• Use the Task Manager to kill the process associated with testexe.exe or rb.exe
• Delete %sysdir%\rb.exe
• Remove the registry key:

  HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RamBooster2

• If using the Internet Connection Firewall, restart by opening a command prompt and typing "net start SharedAccess"

Snort Signatures

The following Snort signatures can detect the Akak trojan on your network:

alert tcp any any -> any 4321 (msg:"Akak trojan protocol hello"; content:"|89 13 00 00|"; dsize:4; flow:established,to_server; reference:url,www.secureworks.com/research/threats/akak; classtype:trojan-activity; sid:1000120; rev:1;)

alert tcp $HOME_NET 4321 -> $EXTERNAL_NET any (msg:"Akak trojan protocol response from infected host"; content:"|6f 17 00 00|"; dsize:4; flow:established,to_client; reference:url,www.secureworks.com/research/threats/akak; classtype:trojan-activity; sid:1000121; rev:1;)

Remote Uninstall

The following command line can remotely uninstall Akak from an infected machine (requires Perl and Netcat):

perl -e 'print "\xec\x13\x00\x00"' | nc [infected host ip] 4321

Online Tools

Info Request

*First Name:
*Last Name:
*Company:
*Telephone:
*Email:
*Country:
*State/Province:

Comments