Destructive backdoor Trojan threatens Windows systems

New variants of malware come and go with depressing regularity, but some have capabilities that offer more cause for concern than others.

The latest piece of scary software comes from researchers at security company Doctor Web who have uncovered a new Trojan dubbed BackDoor.Yebot that's capable of carrying out a wide range of destructive actions on an infected machine.

It's spread via another piece of malware, Trojan.Siggen6.31836. When launched on the target machine, this injects its code into the svchost.exe, csrss.exe, lsass.exe and explorer.exe processes. After sending a request to the remote server it then downloads and decrypts BackDoor.Yebot and transfers control to it. Some features of Trojan.Siggen6.31836 are encrypted (and can be decrypted only while it's being executed). It also incorporates mechanisms to verify the virtual machine in a target system and bypass User Account Control.

Once active on an infected system BackDoor.Yebot has a range of capabilities. It can run an FTP server or a SOCKS 5 proxy server on an infected computer, it can also modify the RDP protocol to provide remote access to the machine.

It has the ability to log keystrokes and can intercept surfing activity by capturing PCRE (Perl Compatible Regular Expressions) patterns. It's able to inject arbitrary content into web pages loaded in browser windows too.

As well as monitoring and interfering with your surfing it can intercept various system functions, modify the code of the running process, interact with plug-ins, take screenshots, and search in the infected system for private keys.

BackDoor.Yebot communicates with its C&C servers using standard HTTP protocol as well as native binary protocol and it has the ability to blacklist IP addresses if they're unavailable or getting too much traffic.

Doctor Web's analysts suggest that BackDoor.Yebot is being used as a banking Trojan, but its range of abilities suggests it's been designed as a piece of multi-purpose malware. It has already been added to the Dr.Web virus database and more technical detail on the infection can be found on the company's website.

Image Credit: Spectral-Design / Shutterstock