Shopping with HAXDOOR

October 10 – following the footsteps of BKDR_HAXDOOR.JG, which was detected as being hosted on a travel policy Web site, another variant of this prevalent backdoor family was discovered being spammed in the wild.


According to FIRST, or Forum of Incident Response and Security Teams, samples of this backdoor – which is detected by Trend Micro as BKDR_HAXDOR.AU– may arrive as an attachment to an email message supposedly coming from Wal-Mart (yes, as in the popular American superstore), Dell, Circuit City, or Sony. Based on the sample message, by disguising itself as an Order Summary for a Sony VAIO laptop computer in a “self-extracting archive”, it targets 1) computer users who frequently use the stores’ “Internet shop” to purchase items using their credit card, or 2) computer users who never used their credit card in purchasing expensive items and may thus be alarmed that their card may have been wrongly charged with more than $2000. Very fitting, especially because one of this backdoor’s routines include logging keystrokes, which a remote malicous user may then use to steal critical user information (like… credit card account numbers).


With two HAXDOOR variants having two different means of propagation detected in a span of just three days, it seems that this backdoor family are attempting to cast a wider net for potential victims. Shocking? Not really… considering that the family has had enough facelifts – what with their inclusion of rootkit technology and a more complex autostart routine that will allow them to run even in safe mode – that will make Joan Rivers proud. Reaching out for a wider… “audience” seems to be next logical step to make.


Speaking of audience, isn’t the HAXDOOR family also known for being spammed with those e-Bay “Rechnung” email messages? Makes one wonder what shop or store will get targeted next…