PS3 Jailbreak Trojan

August 25, 2010

SonicWALL UTM Research team received reports of a new PS3 Jailbreak Trojan being distributed in the wild. This Trojan is actually a new variant of Trojan Spatet packaged together with a PS3 Jailbreak Tool. This tool purportedly will allow gamers to use their PS3 console without the games original disc. However, users who download this tool get infected by a Trojan Backdoor that steals information from their system.

The release of this Trojan comes after a real PS3 Jailbreak USB Stick has been released and is currently gaining popularity among PS3 gamers.

Arrival & Installation:

This trojan may arrive in the system after being downloaded from the following URL:

  • http://www.fol{REMOVED}8e3979fb14

The installer of this Trojan looks like this:


The PS3 Jailbreak tool looks like this:


As the user installs the PS3 Jailbreak tool, it will also install the following:

  • %Temp%hahahaha.exe (282 KB) - [ detected as GAV: Rebhip.A (Virus) ]
  • %Temp%abc2.exe (563 KB)- [ detected as GAV: Spatet.B (Trojan) ]
  • %System%temptempp.exe - [ detected as GAV: Spatet.B (Trojan) ]

It will create Mutex to ensure that only one instance of the application runs in the system:

  • {UserName}{Random Number}

(Note: %Temp% is the Temporary Folder, which is usally C:Documents and Settings{User}Local SettingsTemp%System% is the Windows System folder, which is usually C:WindowsSystem32)

Registry Changes:

It adds the following registry entries to ensure that the dropped copy of the malware starts on every system reboot:

  • Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun]
    Value: "Policies"
    Data: ""C:WINDOWSsystem32temptempp.exe""
  • Key: [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun]
    Value: "Policies"
    Data: ""C:WINDOWSsystem32temptempp.exe""
  • Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
    Value: "HKCU"
    Data: ""C:WINDOWSsystem32temptempp.exe""
  • Key: [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
    Value: "HKLM"
    Data: ""C:WINDOWSsystem32temptempp.exe""

It adds the following registry entries as part of its installation:

  • Key: [HKEY_CURRENT_USERSoftwareps3]
    Value: "FirstExecution"
    Value: "NewGroup"
    Value: "NewIdentification"

Anti-Debugging Technique:

This Trojan employs the following Anti-Debugging/Anti-Analysis technique before it proceeds execution:

  • Checks if its running inside a Virtual machine
  • Checks if its running inside a Debugger
  • Checks if its running under the following Automated Analysis Tools:
    • Anubis
    • CWSandbox
    • JoeBox

Information Stealing:

It collects information from the following:

  • Stored IE Account Information
  • Stored Mozilla Firefox Account Information
  • RAS Accounts
  • Browser Autocomplete Forms Content
  • Windows Live Account Information
  • Current User Name
  • Computer Name and IP Address

After it collects information, it will send them to a remote server through HTTP protocol.

Command & Control (C&C) Server connection:
It tries to connect to a remote server to receive further instruction and to send collected information:

  • ownedbynob{REMOVED}biz:35578
  • hackfre{REMOVED}.com
  • steamgi{REMOVED}.at

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

  • GAV: Rebhip.A
  • GAV: Rebhip.A_2
  • GAV: Spatet.B (Trojan)