Intel Security
open

Roarur.dll

This page shows details and results of our analysis on the malware Roarur.dll

Download Current DAT

Threat Detail

  • Malware Type: Trojan
  • Malware Sub-type: Remote Access
  • Protection Added: 2010-01-14

This trojan is dropped by  the Roarur.dr trojan.

It creates an additional Service on the victims computer and checks for the presence of certain files on the system.

Aliases:

  • Operation Aurora


Minimum Engine

5600.1067

File Length

Varies

Description Added

2010-01-14

Description Modified

2010-01-19

Malware Proliferation

-- Update Jan. 19, 2010 --

After in depth analysis of updated samples of Roarur.DLL, the following information regarding the backdoor capabilities was uncovered:

The following filenames were seen for DLLs associated with this detection:

  • Rasmon.dll
  • Securmon.dll
  • A0029670.dll
  • Acelpvc.dll
  • AppMgmt.dll

The file acelpvc.dll was identified as malicious, loaded by rasmon.dll to connect to any arbitrary IP:PORT chosen by the attacker. It imports VedioDriver.dll to allow it to monitor keyboard and mouse usage.

The samples above connect to one of the following domains:

  • 360.home[removed].com
  • sl1.home[removed].org
  • blog1.serve[removed].com
  • google.home[removed].com
  • ftp2.home[removed].com
  • update.our[removed].com

The malware connect to port 443 but the communication protocol is not SSL. It is a custom encrypted protocol.

When installed on the system, the backdoor has full control of the system. These are some of the capabilities identified:

  • Adjust process privileges, terminate processes
  • Control services
  • Remote file execution
  • Registry manipulation
  • File system manipulation (search, remove, copy)
  • System manipulation (turn system off, reboot, clean events)
  • Call other components, inter process communication
  • Network.ics manipulation

-- --

This Trojan is stage III of Operation Aurora, for more information on Operation Aurora, see:

  • Exploit-Comele - Operation Aurora (stage I - initial exploit)
  • Roarur.dr - Operation Aurora (stage II - downloaded malware)

 

When executed this trojan creates a service on the victim's computer and modifies the following registry keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS [% random 4 chars %]
    • "ImagePath" = %SystemDir%\svchost.exe -k netsvcs
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS [% random 4 chars %]
    • "Start"= 02, 00, 00, 00
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS [% random 4 chars %] \Parameters
    • "ServiceDll" = %SystemDir%\rasmon.dll

Different variants have been observed using different file names, services names and dll locations. For example:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters 
    • ServiceDll = "C:\Documents and Settings\[username]\AppMgmt.dll" 

The DLL (RASMON.DLL)  is injected into the SVCHOST.EXE and performs the following functions:

  • Checks to see if the following files are present on the system:
  • acelpvc.dll (presence of this file does not necessarily imply an infection )
  • VedioDriver.dll (presence of this file does not necessarily imply an infection )

Connection to the following remote server is made (new variants have been captured that connect to different servers):

  • 360.home[removed].com
  •  update.ou[removed]y.com

The trojan accepts commands from the controlling host. Different variants have different capabilities including:

  • Escalate process priviledges.
  • Shutdown or reboot the system.
  • Execute commands via cmd.exe.
  • Download additional components.
  • Modify the system registry.
  • List local resources (Drives, services etc.)
  • Modify the local filesystem.
  • execute mdm.exe.
  • Self update.

The backdoor gathers the following information from the victims machine and sends it back to the server:

  • Content of HARDWARE\DESCRIPTION\System\CentralProcessor\MHz registry key
  • Service pack name
  • Machine name
  • OS Version

Informations are stored in an encrypted file in windows/system32/drivers/etc/networks.ics file.

For more details on the communication protocol, see:

McAfee Labs Blog: An Insight into the Aurora Communication Protocol

  • Presence of above mentioned activities.
  • Presence of above mentioned files.
  • This threat is dropped by Roarur.dr

    All Users:
    Use specified engine and DAT files for detection and removal.

    Additional Windows ME/XP removal considerations