A threat that we see very frequently in the lab is the back doornamed Backdoor.GrayBird or Backdoor.HuiPigeon. Today, I will shed somelight on this back door both to show how easy it has become to create apowerful back door with a rich feature set, and also to show why we seeso much of this particular back door.
Backdoor.Graybird gets its name from the Chinese company that makesthe product, which translates to Gray Bird. It is a commercial Chineseremote access tool that sells for about $100 for a 100 user license. Itcan be configured to run silently on the victim's machine and isnormally distributed via email or via drive-by downloads. (If sent viaemail, the user still needs to execute the file.) It can be packed tomake each sample unique and, most recently, NsAnti has been the packerof choice.
Backdoor.Graybird is very popular in underground Chinese hackingforums partly because it is all written in Chinese, so it is easilyunderstood, and also because cracked versions of it are often availablefor "script kiddies" to use, which means that they don’t have to pay.Backdoor.Graybird is the equivalent to the Chinese market that Subsevenor Backorifice were to the English-speaking market a few years ago.
Backdoor.Graybird can do all the actions of a typical back door. With the click of a button an attacker can:
• Reboot the victim's machine
• Take a screen capture
• Turn on a webcam
• Record all keystrokes
• Steal passwords
• Access all files on the victim's machine
Basically the attacker can take full control of the victim's machine…
An attacker sends a newly created Backdoor.Graybird to the victim –it runs silently and then connects back to the control server runningon the attacker's machine. The back door runs as iexplore.exe bydefault and continuously tries to connect back to the control server toshow that it is online and ready to be controlled. When the attackerstarts the control server software on his machine, he or she can seeall the computers that are available to be controlled at that time.
Each back door must contain the IP address of the control server toconnect to; that is, the attacker's IP. This makes every newly createdback door slightly different. For cases where the attacker does nothave a static IP, the back door can be configured to point to aredirection site instead.
When an attacker wants to create a new back door, he runs a backdoor configuration program (a nice GUI – it's all point and click). Hecan choose many different options. For example, he can choose what typeof packer he wants the back door to be packed with, what icon he wantsit to have, what IP and port to connect to, the username and passwordto use, the name of the files to be dropped on the victim's PC, plusmany other options. Since this is a point and click back door creator,which is used by many script kiddies, often the settings for the backdoor are left at the default values (script kiddie errors also accountfor why we see many samples trying to connect to 127.0.0.1 or NATaddresses like 192.168.x.y :p ). When the attacker has finishedconfiguration, the back door is created with the new settings and isready to be sent to the victim.
To ensure no users have problems creating their very own back doorthe installer even comes with a flash tutorial showing how to configureand create a back door and how to control a victim’s computer. To seean example of the back door in action, watch the video provided below.
Needless to say, to protect themselves against these types of backdoors users should not click on links or execute files contained insuspicious emails and since these types of back doors are oftendistributed via drive-by download sites users should not visit sitesthat they do not trust. Of course this is easier said than done… Sousers should make sure that their antivirus definitions are up to dateand that they have an Internet security solution that includesantivirus, firewall, and intrusion protection.