This month we add another bot to the MSRT family list – Win32/Cycbot. Cycbot was discovered in August 2010 and has quickly become prevalent.
It seems that Cycbot’s creators called it “Gbot”, as it used this name as an identifier in the reports it would send back to its controllers. Recent variants of the malware have stopped using this identifier, possibly in an attempt to make detection more difficult, but the functionality hasn’t changed much. All of Cycbot’s communications are done using HTTP, including the retrieval of backdoor commands. As a backdoor, it’s functionality is limited to capabilities like updating itself and downloading and running other malware; we’ve seen it download Rogue:Win32/FakePAV in the past. Its main purpose, however, is more subtle.
Cycbot sets itself up as an HTTP proxy for any machine it affects. It does this by listening on a TCP port such as 54141 (this number varies), and then changing the browser’s proxy settings to point to this port on the local host. It can do this for Internet Explorer, Firefox and Opera.
By acting as proxy, Cycbot can intercept all HTTP traffic to and from the browser, which enables it to direct your browser wherever it wants. For example, it will take a search term you enter into your search engine and pass it to what is effectively an imitation search site – a site that directs you to anywhere that will pay them money for the referral. At best, this will lead to an advertisement that is unrelated to what you were searching for; however, often it leads to more malware. Right now, several of the “search” results that Cycbot loads attempt to install malware, including one page that looks quite familiar.
Spending as much time as I do looking at rogues, I am all too familiar with this kind of sham. This one is currently pushing Rogue:Win32/Winwebsec.
Cycbot is a type of “intermediate” malware – a means to an end, in many ways reminiscent of Win32/Renos. Controlling the browser can provide its creators with diverse ways of exploiting an affected user, while causing the user various kinds of pain.
– Hamish O’Dea
Related Posts
- Another family of DDoS bots: Avzhan
Earlier this month, security researchers at Damballa published their findings regarding a new commercial DDoS service called IMDDOS. In addition to observing a number of samples of IMDDOS bots in our... - Another round of Asprox SQL injection attacks
The Asprox bot is behind some of the latest SQL injection attacks.
View full post on M86 Security Labs Blog... - MSRT Targets Another Fake
This month we add the rogue security program that we call Win32/Fakeinit to the list of malware families removed by MSRT. David wrote about Fakeinit a few months ago and it hasn't really changed since... - Another round of WordPress Attacks, (Mon, May 10th)
H-Security has published an article (http://www.h-online.com/security/news/item/Large-scale-attack-on-WordPress-996628.html) discussing a new series of attacks against WordPress-based sites.
Multiple ... - Fraudsters Deliver Another Round of Federal Reserve Emails
During the last week, the eSoft Threat Prevention Team has detected a number of malicious emails, allegedly from the Federal Reserve Bank. The emails warn the recipient of phishing attacks and instruc... - A Second MSRT Release in April
In continuation of our support for the takedown activities on the Win32/Afcore botnet, we are releasing a second edition of MSRT in April. This edition includes variants of Afcore released by the crim... - MSRT April ‘11: Win32/Afcore
This month, the MSRT team added the Win32/Afcore family of trojans to its detections. This malware is also known as Coreflood. It has evolved over time, first breaking onto the scene in 2003. At the ... - New Malware can Automatically Register Facebook Applications
A few months ago, at least prior to February 7th, Sality operators pushed a new malware onto their P2P network of infected bots. The malware in question hooks into Internet Explorer using its standard... - Another Adobe Flash Zero-Day Found, Embedded in Word Documents
An exploit for another zero-day vulnerability in Adobe Flash Player was very recently found just a couple of weeks after Adobe patched a similar critical vulnerability, which was actively exploited an... - How to access my home computer from another PC? Learn with Panda Security
Published by Blanca Carton, Abril 2011
How many times you wished you could have accessed documents stored in your home PC when you were out? In my case, many. And I hate to say “I cannot send it right...
Posted on 10 February 2011. Tags: another, Bots, MSRT, round
