Roarur.dll

-- Update Jan. 19, 2010 --

After in depth analysis of updated samples of Roarur.DLL, the following information regarding the backdoor capabilities was uncovered:

The following filenames were seen for DLLs associated with this detection:

• Rasmon.dll
• Securmon.dll
• A0029670.dll
• Acelpvc.dll
• AppMgmt.dll

The file acelpvc.dll was identified as malicious, loaded by rasmon.dll to connect to any arbitrary IP:PORT chosen by the attacker. It imports VedioDriver.dll to allow it to monitor keyboard and mouse usage.

The samples above connect to one of the following domains:

• 360.home[removed].com
• sl1.home[removed].org
• blog1.serve[removed].com
• google.home[removed].com
• ftp2.home[removed].com
• update.our[removed].com

The malware connect to port 443 but the communication protocol is not SSL. It is a custom encrypted protocol.

When installed on the system, the backdoor has full control of the system. These are some of the capabilities identified:

• Adjust process privileges, terminate processes
• Control services
• Remote file execution
• Registry manipulation
• File system manipulation (search, remove, copy)
• System manipulation (turn system off, reboot, clean events)
• Call other components, inter process communication
• Network.ics manipulation

-- --

This Trojan is stage III of Operation Aurora, for more information on Operation Aurora, see:

• Exploit-Comele - Operation Aurora (stage I - initial exploit)
• Roarur.dr - Operation Aurora (stage II - downloaded malware)

When executed this trojan creates a service on the victim's computer and modifies the following registry keys:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS [% random 4 chars %]
• "ImagePath" = %SystemDir%\svchost.exe -k netsvcs
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS [% random 4 chars %]
• "Start"= 02, 00, 00, 00
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS [% random 4 chars %] \Parameters
• "ServiceDll" = %SystemDir%\rasmon.dll

Different variants have been observed using different file names, services names and dll locations. For example:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters 
• ServiceDll = "C:\Documents and Settings\[username]\AppMgmt.dll" 

The DLL (RASMON.DLL)  is injected into the SVCHOST.EXE and performs the following functions:

• Checks to see if the following files are present on the system:
• acelpvc.dll (presence of this file does not necessarily imply an infection )
• VedioDriver.dll (presence of this file does not necessarily imply an infection )

Connection to the following remote server is made (new variants have been captured that connect to different servers):

• 360.home[removed].com
•  update.ou[removed]y.com

The trojan accepts commands from the controlling host. Different variants have different capabilities including:

• Escalate process priviledges.
• Shutdown or reboot the system.
• Execute commands via cmd.exe.
• Download additional components.
• Modify the system registry.
• List local resources (Drives, services etc.)
• Modify the local filesystem.
• execute mdm.exe.
• Self update.

The backdoor gathers the following information from the victims machine and sends it back to the server:

• Content of HARDWARE\DESCRIPTION\System\CentralProcessor\MHz registry key
• Service pack name
• Machine name
• OS Version

Informations are stored in an encrypted file in windows/system32/drivers/etc/networks.ics file.

For more details on the communication protocol, see:

This threat is dropped by Roarur.dr

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations