Home / malwarePDF  

Win32/Beebone


First posted on 19 March 2013.
Source: Microsoft

Aliases :

There are no other names known for Win32/Beebone.

Explanation :



Installation

Some Beebone variants may arrive on your computer as a drive-by download, via social engineering tactics, or it may have been downloaded and run by other malware, such as a variant of the Worm:Win32/Vobfus family.

Other variants may arrive via download if you click a malicious link posted on social networking sites or sent though an instant messaging program, or a link that may have been shared on a public file sharing network using an enticing file name.



Payload

Downloads other malware

Beebone contacts remote hosts in order to download other malware. Below are some examples of the malware we have observed Beebone downloading:

  • Backdoor:Win32/Atadommoc
  • TrojanDownloader:Win32/Karagany
  • Trojan:Win32/Acbot
  • Trojan:Win32/Boaxxe
  • Win32/Gamarue
  • Win32/Fareit
  • Win32/Medfos
  • Win32/Sirefef
  • Win32/Vobfus
  • Win32/Waledac
  • Win32/Winwebsec
  • Win32/Zbot
  • VirTool:Win32/CeeInject


For more information about how it downloads this malware, please see the Additional information section below.

After it downloads other malware, it stops running, and deletes the copy of itself by running the following command:

"cmd.exe /c tasklist&&del {Malware Path}"

Contacts remote hosts

In the wild, we have observed the following domains being accessed by Win32/Beebone variants:

  • 3d-game.com
  • 65512.eu
  • adultdns.net
  • bbsindex.com
  • brenz.pl
  • checktech.eu
  • checkusb.eu
  • chkdtdns.net
  • cpuchecks.com
  • ddns01.com
  • ddns01.eu
  • ddns1.eu
  • ddnsd.at
  • ddnsd.eu
  • ddnsx.eu
  • dnsd.me
  • dtdns.net
  • etowns.net
  • fe100.net
  • grsyl.com
  • kdns01.kz
  • no-ip1.com
  • noip.at
  • noip01.org
  • noip02.com
  • noip1.at
  • noip1.com
  • noip1.de
  • noip1.info
  • noip1.nl
  • noip1.org
  • noip2.at
  • noip2.com
  • noip2.net
  • noip2.nl
  • noips.me
  • noipx.net
  • noipz.com
  • noipz.net
  • noipz.org
  • phone423checker.tk
  • s3h.net
  • selfip.me
  • slyip.com
  • somee.com
  • ssh01.com
  • suroot.com
  • time2check.info
  • ttl60.org
  • vigg.net
  • voip01.com
  • wiggy.me
  • wow64.net
  • zdns.eu
  • zigg.me
  • zma.me


Win32/Beebone uses the following ports to access the remote servers:

  • 443
  • 8080
  • 23345
  • 27000
  • 30980
  • 34511
  • 40009
  • 41001
  • 43401
  • 46361
  • 58897
  • 60077
  • 60088
  • 60099
  • 60777


It may do this for any of the following reasons:

  • To download and execute arbitrary files (including updates or additional malware)
  • To confirm Internet connectivity
  • To report a new infection to its author
  • To receive configuration or other data
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer


For more information about how it contacts these remote hosts, please see the Additional information section below.

Win32/Beebone may have the following executable icon:



Additional information

When executed, older variants of Win32/Beebone make an HTTP request, usually in the following format:

{random}.{domain}:{port}/{letter}/

For example:

  • 001updates.zma.me:23345/b/
  • updates9845.fe100.net:60077/i/
  • updateminute.dnsd.me:8080/b/
  • windows-update.zigg.me:41001/a/
  • winupdateserver1.s3h.net:30980/a/


The server then replies to the HTTP request with a coma separated list of the locations where Beebone can download malicious files to your computer.

For example, a it can send an HTTP request to the following URI:

windows-update.zigg.me:41001/a/

The server then replies with a coma separated list that looks like this:

76876332/1,76876332/2,76876332/bb1,76876332/z

So the download locations of the files to be downloaded are:

  • windows-update.zigg.me:41001/a/76876332/1
  • windows-update.zigg.me:41001/a/76876332/2
  • windows-update.zigg.me:41001/a/76876332/bb1
  • windows-update.zigg.me:41001/a/76876332/z


Recent variants of the Win32/Beebone family make an HTTP request in the following format:

{random}.{domain}:{port}/{number}/{affiliate_id}|{hdserial}{username}

For example:

  • 37462.ddnsx.eu:443/1/?b|-2020396961winxp
  • 37480.noip1.at:443/2/?f|-1396129654Guest
  • 46546.dtdns.net:443/9/?a|-1312965453MyPC
  • 62951.noipx.net:8080/0/?f|-2713912961Developer
  • 86788.noip1.com:8080/0/?b|-5711296542Windows7
  • 88793.ddns1.eu:443/1/?a|-1296545361Administrator
  • 99088.noip2.net:8080/0/?f|-1813912965Admin


The malware then replies back to the HTTP request with encrypted data; the encrypted data will then be decrypted, showing a comma separated URL list of the files to be downloaded to your computer.

The decrypted data may look like the following:

899056.noip2.nl:443/v/?75,hxxp://799056.noip2.nl:443/1/?n1,hxxp://799056.noip2.nl:443/1/?s1

The downloaded files are also encrypted, but will later be decrypted, then saved to your computer.

These saved files will then be run, most often from the %UserProfile% folder.

File names of the downloaded files can have the following format:

  • {number}{random}.exe, or
  • z{random}.exe, or
  • start1.exe, or
  • runme.exe


In the wild, we have observed Beebone using the following file names:

  • 0wxm.exe
  • 1hhy.exe
  • 2gy.exe
  • 4meu.exe
  • 5rry.exe
  • zyyp.exe


These files may be detected as variants of the following families:

  • Backdoor:Win32/Atadommoc
  • TrojanDownloader:Win32/Karagany
  • Trojan:Win32/Acbot
  • Trojan:Win32/Boaxxe
  • Win32/Gamarue
  • Win32/Fareit
  • Win32/Medfos
  • Win32/Sirefef
  • Win32/Vobfus
  • Win32/Waledac
  • Win32/Winwebsec
  • Win32/Zbot
  • VirTool:Win32/CeeInject


Recent variants of Win32/Beebone use specific HTTP UserAgent when requesting to the malware server. It uses the following User Agent string:

"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)"

Also, recent variants of Win32/Beebone check for the presence of the following modules:

  • dbghelp.dll
  • sbiedll.dll


This is one of the anti-debugging techniques used by Beebone variants. If one of the above DLLs are found to be running on your computer, Beebone will not run its malicious routine.

It also checks for the module "snxhk.dll", possibly to determine if AVAST antivirus is installed on your computer.

Beebone checks to see if your computer is running in a virtual machine environment by checking for the following strings in the registry key "HKLM\System\ControlSet001\Services\Disk\Enum\0":

  • VBOX
  • VIRTUAL
  • VMWARE
  • QEMU


If it finds any of the above strings, the trojan will not run.



Analysis by Ric Robielos

Last update 19 March 2013

 

TOP

Malware :