Roarur.dll

This page shows details and results of our analysis on the malware Roarur.dll

Overview

This trojan is dropped by  the Roarur.dr trojan.

It creates an additional Service on the victims computer and checks for the presence of certain files on the system.

Aliases:

  • Operation Aurora


Minimum Engine

5600.1067

File Length

Varies

Description Added

2010-01-14

Description Modified

2010-01-19

Malware Proliferation

Characteristics

-- Update Jan. 19, 2010 --

After in depth analysis of updated samples of Roarur.DLL, the following information regarding the backdoor capabilities was uncovered:

The following filenames were seen for DLLs associated with this detection:

  • Rasmon.dll
  • Securmon.dll
  • A0029670.dll
  • Acelpvc.dll
  • AppMgmt.dll

The file acelpvc.dll was identified as malicious, loaded by rasmon.dll to connect to any arbitrary IP:PORT chosen by the attacker. It imports VedioDriver.dll to allow it to monitor keyboard and mouse usage.

The samples above connect to one of the following domains:

  • 360.home[removed].com
  • sl1.home[removed].org
  • blog1.serve[removed].com
  • google.home[removed].com
  • ftp2.home[removed].com
  • update.our[removed].com

The malware connect to port 443 but the communication protocol is not SSL. It is a custom encrypted protocol.

When installed on the system, the backdoor has full control of the system. These are some of the capabilities identified:

  • Adjust process privileges, terminate processes
  • Control services
  • Remote file execution
  • Registry manipulation
  • File system manipulation (search, remove, copy)
  • System manipulation (turn system off, reboot, clean events)
  • Call other components, inter process communication
  • Network.ics manipulation

-- --

This Trojan is stage III of Operation Aurora, for more information on Operation Aurora, see:

  • Exploit-Comele - Operation Aurora (stage I - initial exploit)
  • Roarur.dr - Operation Aurora (stage II - downloaded malware)

 

When executed this trojan creates a service on the victim's computer and modifies the following registry keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS [% random 4 chars %]
    • "ImagePath" = %SystemDir%\svchost.exe -k netsvcs
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS [% random 4 chars %]
    • "Start"= 02, 00, 00, 00
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS [% random 4 chars %] \Parameters
    • "ServiceDll" = %SystemDir%\rasmon.dll

Different variants have been observed using different file names, services names and dll locations. For example:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters 
    • ServiceDll = "C:\Documents and Settings\[username]\AppMgmt.dll" 

The DLL (RASMON.DLL)  is injected into the SVCHOST.EXE and performs the following functions:

  • Checks to see if the following files are present on the system:
  • acelpvc.dll (presence of this file does not necessarily imply an infection )
  • VedioDriver.dll (presence of this file does not necessarily imply an infection )

Connection to the following remote server is made (new variants have been captured that connect to different servers):

  • 360.home[removed].com
  •  update.ou[removed]y.com

The trojan accepts commands from the controlling host. Different variants have different capabilities including:

  • Escalate process priviledges.
  • Shutdown or reboot the system.
  • Execute commands via cmd.exe.
  • Download additional components.
  • Modify the system registry.
  • List local resources (Drives, services etc.)
  • Modify the local filesystem.
  • execute mdm.exe.
  • Self update.

The backdoor gathers the following information from the victims machine and sends it back to the server:

  • Content of HARDWARE\DESCRIPTION\System\CentralProcessor\MHz registry key
  • Service pack name
  • Machine name
  • OS Version

Informations are stored in an encrypted file in windows/system32/drivers/etc/networks.ics file.

For more details on the communication protocol, see:

McAfee Labs Blog: An Insight into the Aurora Communication Protocol

Symptoms

  • Presence of above mentioned activities.
  • Presence of above mentioned files.
  • Method of Infection

    This threat is dropped by Roarur.dr

    Removal

    All Users:
    Use specified engine and DAT files for detection and removal.

    Additional Windows ME/XP removal considerations

    Variants