Backdoor:Win32/Hackdef.BJ is a backdoor trojan that allows remote access and control.
Win32/Hackdef is a family of backdoor trojans that is distributed in various ways to computers running certain versions of Microsoft Windows. This trojan is a user-mode rootkit that creates, alters, and hides Windows system resources on a computer that it has infected, and can hide proxy services and backdoor functionality. It can also conceal use of TCP and UDP ports for receiving commands from attackers.
Installation
Win32/Hackdef is installed either remotely by another infected computer or by user interaction such as visiting a malicious Web page or executing the trojan via an e-mail attachment.
The variant runs as a process and installs itself as a service. When it runs, it checks for the presence of configuration code that contains parameters for changing settings on the target computer. Settings in the configuration code determine rootkit operations such as creating, altering, and hiding system resources; providing and controlling backdoor functionality; and providing proxy services.
Win32/Hackdef uses a driver to run custom code in kernel mode. This driver duplicates process tokens to obtain process-related information so that the rootkit can alter the functionality of processes as they run from memory.
Win32/Hackdef stores original data from multiple Windows system APIs. It infects APIs that are residing in memory locations allocated to various processes. This can include APIs from various DLLs including one or more of the following DLLs:
ntdll.dll
kernel32.dll
advapi32.dll
ws2_32.dll
wsock32.dll
If Win32/Hackdef infects a computer through a user account that has administrator privileges, it infects all current and future user sessions. If Win32/Hackdef infects a system through a user account that does not have administrator privileges, it infects current and future sessions of only this user.
Spreads via…
Networked computers
Win32/Hackdef.BJ searches for computers across a local network and attempts to compromise each one discovered by exploiting vulnerabilities. If successful, the trojan could remotely install Backdoor:Win32/Hackdef.BJ on the target computer.
Payload
Allows remote access and control
Win32/Hackdef creates mailslots on an infected computer, which function as backdoors to exchange commands and information with attackers. The trojan creates a separate, private mailslot for each attacker to send commands to control trojan functionality on the target computer.
Analysis by Tim Liu
