1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Backdoor.Hikit Activity 2

System Infected: Backdoor.Hikit Activity 2

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Backdoor.Hikit activity on the compromised computer.

Additional Information

When the Trojan is executed, it may create the following files:

%Temp%\w7fw.sys
%Temp%\w7fw_m.inf
%Temp%\w7fw.inf
%Temp%\w7fw.cat

Next, the Trojan drops the following file, which may be a 32-bit or 64-bit driver, depending on the operating system:
%System%\drivers\W7fw.sys

Then the threat uses an untrusted certificate to load the driver.

It may also modify the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Driver Signing\"Policy" = "00"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Non-Driver Signing\"Policy" = "00"
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\Certificates\[HEXADECIMAL VALUE]\"Blob" = "[BINARY DATA]"


The back door allows a remote attacker to perform the following actions on the compromised computer:

Open connections over a SOCKS5 proxy
Download files onto the compromised computer
Upload files to a remote location
Open a command shell
Stop executing

Affected

  • Windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube