PS3 Jailbreak Trojan (Aug 25, 2010)

SonicWALL UTM Research team received reports of a new PS3 Jailbreak Trojan being distributed in the wild. This Trojan is actually a new variant of Trojan Spatet packaged together with a PS3 Jailbreak Tool. This tool purportedly will allow gamers to use their PS3 console without the games original disc. However, users who download this tool get infected by a Trojan Backdoor that steals information from their system.

The release of this Trojan comes after a real PS3 Jailbreak USB Stick has been released and is currently gaining popularity among PS3 gamers.

Arrival & Installation:

This trojan may arrive in the system after being downloaded from the following URL:

http://www.fol{REMOVED}8e3979fb14

The installer of this Trojan looks like this:

screenshot

The PS3 Jailbreak tool looks like this:

screenshot

As the user installs the PS3 Jailbreak tool, it will also install the following:

%Temp%hahahaha.exe (282 KB) - [ detected as GAV: Rebhip.A (Virus) ]
%Temp%abc2.exe (563 KB)- [ detected as GAV: Spatet.B (Trojan) ]
%System%temptempp.exe - [ detected as GAV: Spatet.B (Trojan) ]

It will create Mutex to ensure that only one instance of the application runs in the system:

{UserName}{Random Number}

(Note: %Temp% is the Temporary Folder, which is usally C:Documents and Settings{User}Local SettingsTemp%System% is the Windows System folder, which is usually C:WindowsSystem32)

Registry Changes:

It adds the following registry entries to ensure that the dropped copy of the malware starts on every system reboot:

Key:
Value: "Policies"
Data: ""C:WINDOWSsystem32temptempp.exe""
Key:
Value: "Policies"
Data: ""C:WINDOWSsystem32temptempp.exe""
Key:
Value: "HKCU"
Data: ""C:WINDOWSsystem32temptempp.exe""
Key:
Value: "HKLM"
Data: ""C:WINDOWSsystem32temptempp.exe""

It adds the following registry entries as part of its installation:

Key:
Value: "FirstExecution"
Value: "NewGroup"
Value: "NewIdentification"

Anti-Debugging Technique:

This Trojan employs the following Anti-Debugging/Anti-Analysis technique before it proceeds execution:

Checks if its running inside a Virtual machine
Checks if its running inside a Debugger
Checks if its running under the following Automated Analysis Tools:
- Anubis
- CWSandbox
- JoeBox

Information Stealing:

It collects information from the following:

Stored IE Account Information
Stored Mozilla Firefox Account Information
RAS Accounts
Browser Autocomplete Forms Content
Windows Live Account Information
Current User Name
Computer Name and IP Address

After it collects information, it will send them to a remote server through HTTP protocol.

Command & Control (C&C) Server connection:
It tries to connect to a remote server to receive further instruction and to send collected information:

ownedbynob{REMOVED}biz:35578
hackfre{REMOVED}.com
steamgi{REMOVED}.at

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

GAV: Rebhip.A
GAV: Rebhip.A_2
GAV: Spatet.B (Trojan)

screenshot

Share This Article

An Article By

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.