January 24, 2013

Russian anti-virus company Doctor Web is warning users that a new backdoor has been found in large numbers in the wild. Dubbed BackDoor.Butirat.245, the program features a new routine to generate names of control servers to connect to. The most probable rationale behind this feature is to keep the malware operational as long as possible even if one of its controlling servers is shut down.

Recall that malware in the BackDoor.Butirat family can download and launch executables in an infected system after receiving an appropriate command from a control server and steal passwords stored by popular FTP-clients (FlashFXP, Total Commander, Filezilla, FAR, WinSCP, FtpCommander, SmartFTP and others).

Yet such backdoors use a rather common infection mechanism: they replicate themselves to a system folder and modify the registry so that the copy is launched automatically whenever Windows is loaded.

The distinguishing feature of BackDoor.Butirat.245 is a brand new routine to generate control server names. Earlier versions in the malware family had server names hardcoded. As was the case with the recently discovered version of BackDoor.BlackEnergy; Doctor Web's analysts, who examined BackDoor.Butirat.245, were in for a surprise: the program automatically generated third-level domain names. A respective second-level domain name turned out to be registered by a company that traditionally ignores any requests and complaints. Apparently, virus makers supposed that they could in this way increase the malicious program's persistence if one of their control servers is shut down.

The threat's signature has been added to Dr.Web virus databases, so BackDoor.Butirat.245 poses no threat to computers protected by Doctor Web anti-viruses.