My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Dangerous backdoor threatens Windows users

March 23, 2015

Doctor Web analysts conducted a research of dangerous backdoor Trojan for computers running Windows. The malicious program, dubbed BackDoor.Yebot, can perform the widest range of destructive actions on the infected machine, in particular, run its FTP and proxy server, search for various information upon cybercriminals' command, log keystrokes on an infected PC, send screenshots to the remote server and many others.

BackDoor.Yebot is spread by means of other malware, added to the Dr.Web virus database as Trojan.Siggen6.31836. When launched on the target machine, this malicious application injects its code into svchost.exe, csrss.exe, lsass.exe and explorer.exe processes. After sending the corresponding request to the remote server, downloads and decrypts BackDoor.Yebot, performs all the manipulations in its memory and transfers control to it. Some features of Trojan.Siggen6.31836 are encrypted (and can be decrypted only while being executed. To perform this action a malicious program reserves the memory that is automatically freed when the feature's code is executed). This malware also incorporates mechanisms to verify the virtual machine in a target system and bypass User Accounts Control.

BackDoor.Yebot possesses the ability to:

  • run a FTP server on an infected computer;
  • run a SOCKS 5 proxy server on an infected computer;
  • modify the RDP protocol to provide remote access to the infected computer;
  • log keystrokes on an infected PC (keylogging);
  • set feedback with an infected PC for FTP, RDP and Socks5 if the network uses NAT (backconnect);
  • intercept data by PCRE patterns (Perl Compatible Regular Expressions)—a library that implements the regular expression in Perl, for this reason the Trojan intercepts all possible features associated with web surfing;
  • intercept SCard's tokens;
  • inject arbitrary content into web pages loaded in browser windows (web injections);
  • intercept various system functions, depending on the accepted configuration file;
  • modify the code of the running process, depending on the accepted configuration file;
  • interact with the various functional modules (plug-ins);
  • take screenshots;
  • search in the infected system for private keys.

BackDoor.Yebot utilizes standard HTTP protocol as well as native binary protocol to exchange data with the command and control server. In addition, the Trojan's C&C server employs the paranoid settings: e.g., it can add an IP address into a black list when the request is incorrect or there are too many requests from a single IP address.

Doctor Web analysts suggest that BackDoor.Yebot can be used by intruders as a banking Trojan: in fact, it is multi-purpose due to a wide range features and the ability to interact with various additional modules. Signatures of BackDoor.Yebot and Trojan.Siggen6.31836 have been added to the Dr.Web virus database, and, therefore, they poses no threat to computers protected with Dr.Web.

More about this threat

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments