Backdoor.Sykipot At Work

Following our blog, Zero-Day Attack on IE6 – JS.Sykipot Doesn’t Spare Retired Software, covering the recent IE Zero-day, we thought it might be interesting to look at an attack in the wild using this vulnerability and the resulting payload.
In what is thought to be a targeted attack, the targets were duped into visiting the site Topix21century.com, which was recently registered on March 6, 2010. Once the site is visited and the target is exploited using JS.Sykipot, they find themselves with Backdoor.Sykipot installed on their system. Backdoor.Sykipot's main aim seems to be gathering of system information and sending it back to the command & control (C&C) server hosted on topix21century.com. The gathering of system information in this case is probably just one stage in the overall attack. To achieve its goal, Backdoor.Sykipot creates the following files in the %Temp% folder.

Gnotes.dat – An encrypted configuration data file downloaded from the C&C server.
Tgnotes.dat – A decrypted, plain-text version of Gnotes.dat.
Pnotes.dat – A plain-text version of information gathered.
Tpnotes.dat – An encrypted version of Pnotes.dat sent back to the C&C server.

These files are used for receiving commands and sending back the command results to the C&C server. Each time Backdoor.Sykipot connects back to the C&C server and uploads the file Tpnotes.dat, it deletes the four files and gets a new configuration file by (continue reading...)