I wanted to release this one as part of a pack (several semi related posts together) but seems like it takes too long, so I just post it. This one is not much different from what you saw before, just another taidoor trojan for your collection sent within RTLO rar archive. According to Microsoft Malware Protection Center Trojan Taidoor / Rubinurd is a bot capable to download and upload files to / from the attackers' server, and execute commands on the system. It is prevalent in Taiwan (at least 1/2 of all detections are there) and is relatively new - emerged in September 2010. This is a file sent in Taiwan from a Taiwan server.
Exploit Information
RTLO
More about RTLO is here Right to Left Override unicode can be used for multiple spoofing cases by Jordi Chancel:
More about RTLO is here Right to Left Override unicode can be used for multiple spoofing cases by Jordi Chancel:
"RTLO is a technique exploiting the RIGHT TO LEFT OVERRIDE unicode and than it will always cause the directional reverse reading order of others characters followed it including the extension-type of malicious file! This UNICODE of which we will simplify name by [RTLO] doesnt can see owing to the fact that its characters and its place are invisible. Use RTLO for reverse the direction of reading of the file names including the extension of concerned file while keeping same the types of execution.
Example: To use a syntax like “SexyPictureGirlAl[RTLO]gpj.exe” be read “SexyPictureGirlAlexe.jpg”
TROJAN TAIDOOR/ RUBINURD (as payload)
It produces traffic as below
http://someipordomain/qfgkt.php?id=030696111D308D0E8D
http://aaaaa/bbbbb.php?id=xxxxxxyyyyyyyyyyyy where
aaaaa is a host or domain
bbbbb is a 5 char string
xxxxxx is a 6 char changing string
yyyyyyyyyyyy - 12 char more or less constant string - which is encoded mac address of the system
