28 October 2011

Doctor Web's virus analysts registered an increased number of BackDoor.Butirat modifications found in the wild. These malicious programs can download various files from the Internet, send information from the infected machine to criminals and inteercept web browser traffic.

BackDoor.Butirat programs have been known since 2010. Today the Dr.Web virus database contains entries for more than 20 modifications of this Trojan horse. Interestingl,y this program maintains its popularity among criminals and can be downloaded from various sites distributing malware. Doctor Web analysts believe that the wide spreading of this malware may be connected with the relative simplicity of its modification. Besides, intruders repack new versions of the malware regularly to complicate its detection.

Earlier BackDoor.Butirat modifications spread as dll files written in C++. The Trojan horse sent queries to banner exchange networks to activate certain banners. It was classified as a backdoor mainly because it could execute directives sent by a remote command center, for example a command to update its software.

Later BackDoor.Butirat implementations came with more diverse features. For example, BackDoor.Butirat.25 added to the virus database in October 2011 can process remote commands but also alters the date in its file PE-header to change its hash. This BackDoor.Butirat is also used to generate banner clicks.

Trojan horses of the BackDoor.Butirat family create the netprotocol exe file in the ApplicationData folder and add its entry into the autorun section of the Windows Registry. The main danger posed by BackDoor.Butirat programs lies in their capabilities to download and launch other applications as well as send various files found in the compromised system to criminals. For instance, BackDoor.Butirat typically download Trojan.Hosts.5006 onto infected machines to steal online banking system access passwords.

Besides, certain BackDoor.Butirat modifications can intercept incoming and outgoing traffic of various browsers (mainly Internet Explorer, Firefox and Opera), so criminals can monitor search requests sent to Yandex, Google, Yahoo, Nigma, Bing, and redirect the browser to various sites on the list received by the Trojan horse from a remote control center.

Doctor Web virus laboratory registers new BackDoor.Butirat modifications regularly, so they are added into the Dr.Web virus database in a timely manner. Systems running anti-viruses by Doctor Web are well protected from this threat.