A dangerous backdoor threatens Windows users

Doctor Web analysts have been researching a dangerous backdoor Trojan for Windows computers. A malicious program, called BackDoor.Yebot, can carry out a wide range of destructive actions on an infected machine, for example run FTP and proxy servers, search for information according to the command received from cybercriminals, log keystrokes on an infected PC, send screenshots to a remote server.

BackDoor.Yebot spreads using other malware, added to the Dr.Web virus database as Trojan.Siggen6.31836 . A malicious application launched on the target machine injects its code into the processes svchost.exe, csrss.exe, lsass.exe and explorer.exe. After sending the appropriate request to the remote server, it downloads and decrypts BackDoor.Yebot, performs all manipulations in its memory area and gives it control. Some of the Trojan.Siggen6.31836 functionalities are encrypted (they can only be decrypted during program execution.) To perform this operation, the malicious program reserves a memory area that is automatically released when the function code is executed. This malware also contains a mechanism to check if the affected system is a virtual machine, and has a mechanism to bypass Windows User Accounts Control.

BackDoor.Yebot has the ability to:
- running an FTP server on an infected computer;
- running the SOCKS5 proxy server on the infected computer;
- modifying the RDP protocol to provide remote access to the infected computer;
- logging of keystrokes on an infected PC (keylogging);
- setting up a reverse channel using an infected PC for FTP, RDP and SOCKS5 protocols, if the network uses NAT (backconnect) mechanism;
- data capture using PCRE standards (Perl Compatible Regular Expressions) - a library that implements a regular expression in Perl, for this reason the Trojan intercepts all possible functionalities associated with surfing the web;
- capturing SCard tokens;
- injecting unwanted content into websites loaded into browser windows (web injection);
- capturing various system functions, depending on the configuration file adopted;
- interacting with various functional modules (plugins);
- capturing screen shots;
- searches on the infected private key system.

BackDoor.Yebot uses the standard HTTP protocol as well as the native binary protocol to exchange data with the C & C server. In addition, the C & C Trojan server uses paranoid settings: eg it can add an IP address to the blacklist when the request is incorrect or if it finds too many requests from one IP address.

Doctor Web analysts suggest that BackDoor.Yebot can be used by intruders as a banking Trojan, mainly due to the fact that it is multi-functional - it has a wide range of functionality and the ability to interact with various additional modules. The BackDoor.Yebot and Trojan.Siggen6.31836 signatures have been added to the Dr.Web virus database and for this reason they do not pose a threat to computers protected by Dr.Web.

source: Doctor Web

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.