Lucene search

threatpostBrian DonohueTHREATPOST:FD10AC519CED65941707BDEC532611CA
HistoryAug 15, 2012 - 3:51 p.m.

Bafruz Backdoor Disables Antivirus, Intercepts Communications With Social Media Sites

Brian Donohue

There’s a new family of malware that’s using a complex set of capabilities to disable antimalware and listen in on sessions between users and some social networks. Bafruz is essentially a backdoor trojan that also is creating a peer-to-peer network of infected computers.

This month’s Microsoft Malicious Software Removal Tool (MSRT) release will include the Win32/Bafruz family. Bafruz’s capabilities include the ability to uninstall antivirus and security products, intercept social media communications sites like Facebook and Vkontakte, install Bitcoin mining software, and perform denial of service attacks. It also communicates with other infected machines across a peer-to-peer protocol in order to download new components onto host machines, according to the Microsoft Malware Protection Center.

The payload seems to start by terminating a long list of security processes listed in its code. It then displays a fake system alert that looks like that of any standard rogue AV attack. The difference, according to Microsoft, is that this fake-alert isn’t asking for money to remove a threat. All it wants is for infected users to reboot their machines. If a user complies with the alert and clicks the ‘remove’ option, it will cause the computer to reboot in safe mode where Bafruz can remove the components of any anti-virus products.

Even if a user doesn’t click the reboot option, Bafruz will execute a force reboot into safe mode anyway. Microsoft claims that Bafruz’s list of AV and security processes is actually used by the backdoor component to disable any AV products once booted in safe mode. Once the reboot is complete users will see this message.

Microsoft believes the alerts are tailored specifically to mimic a variety of security products. The warningss the MIcrosoft researchers saw purport to come from MSE. They warn that Bafruz may in fact be capable of masquerading as any number of security products you might have installed on your machine.

The presence of any of the following files is a tell-tale sign of infection: btc_server.exe, client_8.exe, ddhttp.exe, gbot_loader.exe, iecheck12.exe, loader2.exe, loader_rezerv.exe, udp.exe, and/or w_distrib.exe%windir%proc_list1.log. There are also a number of registry modifications you’ll want to look out for, which can be found here.