Analysis of BioNet 3.12

Client Part of Trojan

After obtaining the trojan, I proceeded to start up the client part. Nothing indicates that the client part of this trojan is in itself a trojan. No open ports, no suspicious file writes, nothing suspicious written to the registry. Thus, the client part of the trojan is most likely "clean".

The client includes the following features:

  • Remotely update server
  • Get system information
  • Remotely install an application
  • File manager
  • Window manager
  • Task list
  • Clipboard viewer
  • Registry editor
  • Chat functions
  • Key logger
  • Mouse controller
  • Display manager
  • Printer manager
  • Webcam control
  • Screenshot capture
  • Internet Explorer cache viewer
  • Internet Explorer start page modifier
  • Open/close CD-ROM
  • Change screen saver
  • Change Windows color scheme
  • PC speaker player
  • Desktop manager
  • Password stealer
  • Remote shutdown/reboot
  • DUN manager
  • IGMP attack launcher
  • Port redirector
  • Plugin manager
  • File finder
  • Port scanner
Yes, there are a lot of features in this trojan. This versions easily measures up to the later versions of SubSeven.

Server Configuration Utility

The server configuration utility allows an adversary to tailor the BioNet server to suit his needs. Settings that can be made with this utility include the following:
  • Server password
  • Communication port
  • Data port
  • Use of random ports
  • Server filename
  • Name of registry autostart key
  • Notification settings
  • Drop file error message
  • Anti-security software settings
  • Delayed execution of server
  • IRC bot settings
  • Keylogger settings
  • CGI settings
  • File joining
I configured the server to use the standard ports, try to disable security software and to use a password. To test the claims that BioNet can shut down and permanently disable security software, I installed AVP 3.5 and ZoneAlarm 2.1.44 on my sandbox computer. These products are both among the security products that the BioNet readme file claims can be disabled by the trojan.

Trojan Server

Anti-Security Software Techniques

I now went on to execute the trojan server. The configuration of the sandbox computer was a clean installation of Windows 98 with AVP 3.5 and ZoneAlarm 2.1.44. After double-clicking server.exe, I was surprised to note that both my resident AVP monitor and ZoneAlarm immediately died. It seems that the trojan did what it claimed with these security applications after all.

A closer look at the registry activity of the trojan revealed that it queried the existance of the following keys in the registry: 

  HKEY_LOCAL_MACHINE\Software\WRQ\IAM\Installation Info\
  HKEY_LOCAL_MACHINE\Software\TinySoftware\WinRoute\
  HKEY_LOCAL_MACHINE\Software\McAfee\McAfee Firewall\
  HKEY_LOCAL_MACHINE\Software\MooSoft Development\The Cleaner\
  HKEY_LOCAL_MACHINE\Software\Signal 9 Solutions\ConSeal PC Firewall\
Several of these are keys that are put in place by the installation programs of security software such as Conseal PC Firewall and McAfee Firewall. It appears that BioNet looks for the existance of these programs on the compromised computer by looking in the registry. The fact that neither ZoneAlarm nor AVP are queried in this way lead me to believe that the trojan finds these by the name of their executable file name.

To test my hypothesis, I decided to make a copy of notepad.exe and name it zonealarm.exe. With the BioNet server running, I started this Notepad with a modified exe-filename, and waited to see what would happen. Sure enough, only a few seconds after Notepad started, it mysteriously disappeared off the screen. Tried again - same result. So it appears that BioNet has a list of "not-wanted" applications that it checks against running programs every few seconds. If the module filename of a running process (ie. the name of its executable) matches any entry in this list, it is terminated.

This made me curious, and I wondered if searching the executable file of the BioNet server for strings would yield anything interesting. Of course, the server was packed with UPX, but unpacking it took only a few seconds since I had a Command Prompt open and ready for use. After decompressing the server, I used my own EXESnooper software to locate all the strings in executable file. After only a little searching i hit the mother lode! The below strings all appeared adjacent in the executable file! 

[0x9D98D] AVP32
[0x9D9A1] AVPCC
[0x9D9B5] AVPM
[0x9D9C8] AVP32
[0x9D9DC] AVPCC
[0x9D9F0] AVPM
[0x9DA04] AVP
[0x9DA14] NAVAPW32
[0x9DA2C] NAVW32
[0x9DA40] ICLOAD95
[0x9DA58] ICMON
[0x9DA6C] ICSUPP95
[0x9DA84] ICLOADNT
[0x9DA9C] ICSUPPNT
[0x9DAB4] IFACE
[0x9DAC8] ANTS
[0x9DADC] Anti-Trojan
[0x9DAF4] iamapp
[0x9DB08] iamserv
[0x9DB1C] FRW
[0x9DB2C] blackice
[0x9DB44] blackd
[0x9DB58] zonealarm
[0x9DB70] vsmon
[0x9DB84] WrCtrl
[0x9DB98] WrAdmin
[0x9DBAC] cleaner3
[0x9DBC4] cleaner
[0x9DBD8] tca
[0x9DBE8] MooLive
[0x9DBFC] lockdown2000
[0x9DC18] Sphinx
[0x9DC2C] VSHWIN32
[0x9DC44] VSECOMR
[0x9DC58] WEBSCANX
[0x9DC70] AVCONSOL
[0x9DC88] VSSTAT
All of the above strings are the names of executable files for different security applications. For example, navw32 is the name of the executable file for the Norton Antivirus scanner. So the above strings are most likely the only means that BioNet has at its disposal to determine which applications it should consider "hostile" and terminate.

In addition, at the very end of the executable file, I found the following: 

[0xBED5B] avpkillerTimer
avpkillerTimer? That sounds more than a little suspicious to me. In fact, since BioNet is written in Delphi, and with my background in Delphi programming, I am rather certain that this is how BioNet performs its anti-security software check:

Every five seconds, a timer is triggered, causing the following to occur:

  1. BioNet retrieves the names of all the currently running executable files
  2. It checks to see if any of them match the above strings
  3. If a match is found, a call to TerminateProcess is made to kill the application
The conclusion is then that for the time being, one can avoid having security software terminated by BioNet by renaming the executable file of the security product. (Provided, of course, the software doesn't complain about this.)

Modified Registry Entries

BioNet stores assorted configuration information under the key HKEY_LOCAL_MACHINE\software\GCI\BioNet 3. With the default server name (LibUpdate.exe) and the default registry entry name, the following key is created by the BioNet server to make it autostart every time windows starts: 
  HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  WinLibUpdate="C:\Windows\libupdate.exe -hide"
where C:\Windows\ is the path to your Windows directory.

Conclusion

BioNet 3.12 has evolved a lot since its earlier versions, and is now fully comparable to later SubSeven versions. The fact that it attempts to kill security software makes it particularly nasty, although that can be easily bypassed (for now). As always, your best bet is to scan any downloaded executables with a good trojan/virus scanner before running it. (In fact, even that might not help with the file binding function included in the BioNet server configuration utility).