March 23, 2015
BackDoor.Yebot is spread by means of other malware, added to the Dr.Web virus database as Trojan.Siggen6.31836. When launched on the target machine, this malicious application injects its code into svchost.exe, csrss.exe, lsass.exe and explorer.exe processes. After sending the corresponding request to the remote server, downloads and decrypts BackDoor.Yebot, performs all the manipulations in its memory and transfers control to it. Some features of Trojan.Siggen6.31836 are encrypted (and can be decrypted only while being executed. To perform this action a malicious program reserves the memory that is automatically freed when the feature's code is executed). This malware also incorporates mechanisms to verify the virtual machine in a target system and bypass User Accounts Control.
BackDoor.Yebot possesses the ability to:
- run a FTP server on an infected computer;
- run a SOCKS 5 proxy server on an infected computer;
- modify the RDP protocol to provide remote access to the infected computer;
- log keystrokes on an infected PC (keylogging);
- set feedback with an infected PC for FTP, RDP and Socks5 if the network uses NAT (backconnect);
- intercept data by PCRE patterns (Perl Compatible Regular Expressions)—a library that implements the regular expression in Perl, for this reason the Trojan intercepts all possible features associated with web surfing;
- intercept SCard's tokens;
- inject arbitrary content into web pages loaded in browser windows (web injections);
- intercept various system functions, depending on the accepted configuration file;
- modify the code of the running process, depending on the accepted configuration file;
- interact with the various functional modules (plug-ins);
- take screenshots;
- search in the infected system for private keys.
BackDoor.Yebot utilizes standard HTTP protocol as well as native binary protocol to exchange data with the command and control server. In addition, the Trojan's C&C server employs the paranoid settings: e.g., it can add an IP address into a black list when the request is incorrect or there are too many requests from a single IP address.
Doctor Web analysts suggest that BackDoor.Yebot can be used by intruders as a banking Trojan: in fact, it is multi-purpose due to a wide range features and the ability to interact with various additional modules. Signatures of BackDoor.Yebot and Trojan.Siggen6.31836 have been added to the Dr.Web virus database, and, therefore, they poses no threat to computers protected with Dr.Web.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.