November 15, 2013

Russian anti-virus company Doctor Web is warning users about the wide distribution via Skype of a banking Trojan from the family BackDoor.Caphaw. The first half of November 2013 saw the peak of its dissemination. BackDoor.Caphaw can steal account information stored by remote banking software as well as other confidential information stored on a compromised machine.

The Trojan BackDoor.Caphaw has been infecting computers throughout the past year. It is mainly spread by means of various exploits (such as the BlackHole exploit pack). However, the Trojan can also copy itself to removable media and network drives. The second half of October 2013 witnessed a growing number of incidents involving BackDoor.Caphaw being spread via Skype. The trend reached its climax in the period from November 5-14. In order to infect computers over Skype, criminals send out messages under accounts used in systems that are already infected. Messages include a link to an archive with the name invoice_XXXXX.pdf.exe.zip (where XXXXX is an arbitrary string of digits). In turn, the archive contains an executable file, which is the Trojan program BackDoor.Caphaw.

When launched in an infected system, the Trojan copies itself into a randomly named file located in one of the application folders and modifies the system registry entry responsible for starting applications automatically. To thwart attempts to analyse the Trojan, the malware can identify whether it is being launched on virtual machines.

If BackDoor.Caphaw is installed successfully, it will inject its code into running processes and connect to a server controlled by attackers. This Trojan monitors users’ activity to determine whether they connect to a remote banking system. If they do, BackDoor.Caphaw can embed arbitrary content into web pages loaded by users and intercept information entered by them in various web forms.

The backdoor can also record streaming video on an infected computer and transfer it to the criminals' server as an RAR archive. In addition, BackDoor.Caphaw can retrieve from a remote server and run additional modules that implement different features, such as finding and transferring passwords stored by FTP clients to criminals, and VNC server implementation. There is also a bootkit module for infecting the master boot record. A separate module is responsible for sending malignant links via Skype.

Dr.Web Anti-virus detects this threat and eliminates BackDoor.Caphaw if it attempts to penetrate a protected system. However, users should exercise caution and refrain from loading links in Skype messages received even from trusted contacts because their computers may already be compromised by BackDoor.Caphaw. If your system has been compromised by the malware, Doctor Web recommends that you start Windows in safe mode and run a full system scan with the free curing utility Dr.Web CureIt! or use Dr.Web LiveCD.