Backdoor.Win32.Surila.k

Technical Details

Surila is a Trojan backdoor. The program is a Windows PE EXE file packed with Obsidium and written in Visual C++. The packed file size is 244 KB and the unpacked size is approximately 413 KB.

Installation

Upon being launched, Surila copies itself into the Windows system folder under the name 'dx32cxlp.exe' and creates the following system registry keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
  devsec = %System%\dx32cxlp.exe

[HKLM\SOFTWARE\Microsoft\Internet Explorer\mutexname]

with 'mutexname' being a random value.

The first key supports automatic launch following every reboot, and the second is a mutex that ensures self-identification in the system.

Surila then copies itself into the StartUp folder and creates a file named dx32cxconf.ini in the Windows system folder.

Surila creates a service named dx32cxel: %System\dx32cxel.sys.

In order to gain full access to the Internet, Surila registers itself in the Windows FirewallPolicy, thereby becoming a legal program with full Internet rights.

Payload

Surila installs a proxy server on a random port to process HTTP and SMTP traffic. The infected machine is now open for illegal use, in a spammer bot network, for instance.

Communication with the client module

Surila attempts to contact the following IRC servers to receive commands:

62.241.53.2:4242
211.233.41.235:4661
81.23.250.167:4242
193.19.227.24:4661
66.98.192.99:3306
207.44.222.47:4661
213.158.119.104:4661
207.44.206.27:4661
62.241.53.4:4242
216.127.94.107:4661
67.15.18.45:3306
62.241.53.15:4242
64.246.54.12:3306
62.241.53.16:4242
211.214.161.107:4661
67.15.18.57:3306
66.98.144.100:4242
69.50.187.210:4661
66.111.43.80:4242
212.199.125.36:8080
66.90.68.2:6565
62.241.53.17:4242
69.50.228.50:4646
81.23.250.169:4242
69.57.132.8:4661
4.246.18.98:4661
218.78.211.62:4661
207.44.142.33:4242
64.246.16.11:4661
205.209.176.220:4661
80.64.179.46:4242
65.75.161.70:4661

Other

Surila changes the following lines in the hosts file in order to try and block antivirus database updates and access to antivirus vendors' websites:

127.0.0.1       www.avp.com
127.0.0.1       www.viruslist.com
127.0.0.1       viruslist.com
127.0.0.1       www.symantec.com
127.0.0.1       networkassociates.com
127.0.0.1       secure.nai.com
127.0.0.1       downloads1.kaspersky-labs.com
127.0.0.1       downloads2.kaspersky-labs.com
127.0.0.1       downloads3.kaspersky-labs.com
127.0.0.1       downloads4.kaspersky-labs.com
127.0.0.1       downloads-us1.kaspersky-labs.com
127.0.0.1       downloads-eu1.kaspersky-labs.com
127.0.0.1       kaspersky-labs.com
127.0.0.1       www.networkassociates.com
127.0.0.1       us.mcafee.com
127.0.0.1       f-secure.com
127.0.0.1       avp.com
127.0.0.1       www.sophos.com
127.0.0.1       sophos.com
127.0.0.1       www.ca.com
127.0.0.1       ca.com
127.0.0.1       securityresponse.symantec.com
127.0.0.1       symantec.com
127.0.0.1       mast.mcafee.com
127.0.0.1       my-etrust.com
127.0.0.1       www.kaspersky.com
127.0.0.1       www.f-secure.com
127.0.0.1       dispatch.mcafee.com
127.0.0.1       update.symantec.com
127.0.0.1       nai.com
127.0.0.1       www.nai.com
127.0.0.1       liveupdate.symantec.com
127.0.0.1       customer.symantec.com
127.0.0.1       rads.mcafee.com
127.0.0.1       trendmicro.com
127.0.0.1       liveupdate.symantecliveupdate.com
127.0.0.1       www.mcafee.com
127.0.0.1       mcafee.com
127.0.0.1       viruslist.com
127.0.0.1       www.my-etrust.com
127.0.0.1       download.mcafee.com
127.0.0.1       updates.symantec.com
127.0.0.1       kaspersky.com
127.0.0.1       www.trendmicro.com