Follow:

 

Backdoor:Win32/Bafruz


Backdoor:Win32/Bafruz is a multi-component family of backdoor trojans that can perform a number of different actions on your computer, such as:

  • Uninstall antivirus and security products
  • Intercept social media webpages such as Facebook and Vkontakte in order to hijack conversations
  • Install Bitcoin mining software
  • Perform denial of service attacks

Bafruz communicates with other Bafruz-infected computers via a peer-to-peer (P2P) protocol in order to update and download its components onto your computer.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Backdoor:Win32/Bafruz is a multi-component family of backdoor trojans that can perform a number of different actions on your computer, such as:

  • Uninstall antivirus and security products
  • Intercept social media webpages such as Facebook and Vkontakte in order to hijack conversations
  • Install Bitcoin mining software
  • Perform denial of service attacks

Bafruz communicates with other Bafruz-infected computers via a peer-to-peer (P2P) protocol in order to update and download its components onto your computer.

Installation

Backdoor:Win32/Bafruz consists of a number of different executable components, each component responsible for the backdoor's different payloads. Once a Bafruz component is running on your computer, it may download its other components from other Bafruz infected computers connected through a P2P network.

The different components have been observed using file names such as those listed below:

  • btc_server.exe
  • client_8.exe
  • ddhttp.exe
  • gbot_loader.exe
  • iecheck12.exe
  • loader2.exe
  • loader_rezerv.exe
  • udp.exe
  • w_distrib.exe

Depending on the component running on your computer, Backdoor:Win32/Bafruz may install itself in a number of different ways. The following are file locations that the different Bafruz components have been known to copy themselves to:

  • %windir%\l1rezerv.exe
  • %windir%\services32.exe
  • %windir%\sysdriver32.exe
  • %windir%\sysdriver32_.exe
  • %windir%\systemup.exe
  • %windir%\update<number>\svchost.exe
  • %windir%\update<number>\svchostdriver.exe

Bafruz may also create registry entries in order to execute these copies at each Windows start. For instance, the following are registry entries observed being created by the different Bafruz components:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "sysdriver32.exe"
With data: "%Windows%\sysdriver32.exe" rezerv

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "sysdriver32_.exe"
With data: "%Windows%\sysdriver32_.exe" rezerv

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "wxpdrv"
With data: "%Windows%\services32.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "l1rezerv.exe"
With data: "%Windows%\l1rezerv.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "systemup"
With data: "%Windows%\systemup.exe"

Additional files may also be created by the various Bafruz components as a part of its payload, for instance:

%windir%\proc_list1.log - contains list of processes executing on your computer

Payload

Removes antivirus products

One of the Backdoor:Win32/Bafruz components is used to uninstall certain antivirus or security products that may be running on your computer. It does this by checking for processes that may be running that are known to be used by these antivirus products. It targets the following products:

  • Agava Firewall
  • Avast Antivirus
  • AVG Anti-virus
  • Avira AntiVir
  • Comodo Antivirus
  • Dr. Web
  • ESET NOD32 Antivirus
  • ESET Smart Security
  • ESET SysInspector
  • ESET SysRescue
  • Kaspersky Anti-Virus 2009
  • Kaspersky Anti-Virus 2010
  • Kaspersky Anti-Virus 2011
  • Kaspersky Anti-Virus 7
  • Kaspersky Anti-Virus 7.0
  • Kaspersky Internet Security 2009
  • Kaspersky Internet Security 2010
  • Kaspersky Internet Security 2011
  • Kaspersky Internet Security 7
  • Kaspersky Internet Security 7.0
  • Mcafee Antivirus
  • Microsoft Defender
  • Microsoft Security Essentials
  • Norton Antivirus
  • Outpost Firewall
  • Outpost Firewall Pro 7.0
  • Panda Antivirus

If any of the abovelisted products are found, Win32/Bafruz displays the following alert warning you that a virus was detected on your computer, and a reboot is required to remove it:

If you reboot your computer, Backdoor:Win32/Bafruz ensures that it starts in safe mode and uninstalls the antivirus or security product that is installed on your computer. It then displays a fake alert in the taskbar informing you that the security product that has been uninstalled is now running in enhanced protection mode. For example, the following is an alert displayed after Bafruz has uninstalled Microsoft Security Essentials:

Downloads and executes files

Backdoor:Win32/Bafruz is able to communicate with other Bafruz infected computers in order to download additional components onto your computer. It contains a list of hardcoded servers and IP addresses that it connects to in order to obtain a list of peers connected to the Peer-to-Peer (P2P) network. Some of the servers it may contact include the following:

  • bmp-forwindows.com
  • chrome-update.ru
  • drivers-z2012.com
  • free-dns-server1.com
  • free-pac.net
  • my-dns-lists.com
  • newdrivers-win7.com
  • office-important-update.com
  • supercarsinfo.net
  • torrents-list-srv.com

The requests made to these servers are commonly in the following format:

hxxp://<server>/distrib_serv/ip_list.php

Through the network, it can also obtain a list of URLs that point to additional components to download. Most of these components belong to the Bafruz family and are used to perform the backdoor's different payloads. Additionally, Bafruz has been observed downloading TrojanDropper:Win32/Sirefef.B into the computer using the following file name:

gbot_loader.exe

Modifies security settings

Some of the Backdoor:Win32/Bafruz components may add themselves to the list of applications that are authorized to access the Internet without being stopped by the Firewall. For example, the following registry modification may be made:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "%Windows%\update<number>\svchost.exe"
With data: "%Windows%\update<number>\svchost.exe:*:enabled:%Windows%\update<number>\svchost.exe"

Win32/Bafruz may also download a file with the name "resetsr.exe" that modifies the System Restore option in Windows by modifying the following registry entry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Modifies value: "DisableSR"
With data: "0"

Mines Bitcoins

Two of the Backdoor:Win32/Bafruz components, using the file names btc_server.exe and client_8.exe, are primarily used to perform Bitcoin mining on your computer; this could potentially allow unauthorized use of your computer's resources to generate Bitcoins.

The btc_server.exe component is used as a Bitcoin server that listens for incoming traffic from other peers performing Bitoin mining. The client_8.exe component downloads a number of Bitcoin mining applications onto your computer in order to perfrom the mining, including the following:

  • phoenix.exe (Phoenix miner)
  • rpcminer-cpu.exe (RPC miner)
  • ufa.exe   (Ufasoft miner)

The server component will also attempt to terminate any existing Bitcoin server that is running on the computer by terminating the following processes:

  • bitcoin.exe
  • bitcoind.exe
  • namecoind.exe

Perform denial of service attacks

Backdoor:Win32/Bafruz is capable of performing Distributed Denial of Service (DDoS) attacks againts a list of websites it obtains from its control servers. Through the components udp.exe and ddhttp.exe, Bafruz downloads a list of sites that it can then perform DDoS attacks against using the UDP and HTTP protocols.

Intercepts social networking traffic

Backdoor:Win32/Bafruz is capable of intercepting login information that you enter when you visit social networking sites such as Facebook and Vkontakte. Using these credentials, Win32/Bafruz can then send messages or post links to your friends and contacts. Bafruz intercepts this login information by creating a proxy server on the local host and directing Facebook and Vkontakte traffic through this proxy. Bafruz does this by adding to the Hosts file, found in file location "<system folder>\drivers\etc\hosts" the following list of social networking websites:

  • af-za.facebook.com
  • alania.mts.ru
  • altai.mts.ru
  • amur.mts.ru
  • ar-ar.facebook.com
  • arkhangelsk.mts.ru
  • astrakhan.mts.ru
  • az-az.facebook.com
  • barnaul.mts.ru
  • bashkortostan.mts.ru
  • be-by.facebook.com
  • belgorod.mts.ru
  • bg-bg.facebook.com
  • bn-in.facebook.com
  • bryansk.mts.ru
  • bs-ba.facebook.com
  • buryatia.mts.ru
  • ca-es.facebook.com
  • chechnya.mts.ru
  • chelyabinsk.mts.ru
  • chita.mts.ru
  • chukotka.mts.ru
  • chuvashia.mts.ru
  • cs-cz.facebook.com
  • cy-gb.facebook.com
  • da-dk.facebook.com
  • dagestan.mts.ru
  • de-de.facebook.com
  • eao.mts.ru
  • ekaterinburg.mts.ru
  • el-gr.facebook.com
  • elista.mts.ru
  • en-gb.facebook.com
  • eo-eo.facebook.com
  • es-es.facebook.com
  • es-la.facebook.com
  • et-ee.facebook.com
  • eu-es.facebook.com
  • fa-ir.facebook.com
  • facebook.com
  • fb-lt.facebook.com
  • fi-fi.facebook.com
  • fo-fo.facebook.com
  • fr-ca.facebook.com
  • fr-fr.facebook.com
  • fy-nl.facebook.com
  • ga-ie.facebook.com
  • gl-es.facebook.com
  • goodok.mts.ru
  • he-il.facebook.com
  • hi-in.facebook.com
  • hr-hr.facebook.com
  • hu-hu.facebook.com
  • hy-am.facebook.com
  • id-id.facebook.com
  • irkutsk.mts.ru
  • is-is.facebook.com
  • it-it.facebook.com
  • ivanovo.mts.ru
  • ja-jp.facebook.com
  • ka-ge.facebook.com
  • kaliningrad.mts.ru
  • kaluga.mts.ru
  • kamchatka.mts.ru
  • karelia.mts.ru
  • kbr.mts.ru
  • kchr.mts.ru
  • kemerovo.mts.ru
  • khakasia.mts.ru
  • khv.mts.ru
  • kirov.mts.ru
  • ko-kr.facebook.com
  • komi.mts.ru
  • kostroma.mts.ru
  • kras.mts.ru
  • ku-tr.facebook.com
  • kuban.mts.ru
  • kurgan.mts.ru
  • kursk.mts.ru
  • la-va.facebook.com
  • lipetsk.mts.ru
  • login.vk.com
  • lt-lt.facebook.com
  • lv-lv.facebook.com
  • magadan.mts.ru
  • magas.mts.ru
  • mari-el.mts.ru
  • mk-mk.facebook.com
  • ml-in.facebook.com
  • mms.mts.ru
  • mordovia.mts.ru
  • mpoisk.ru
  • ms-my.facebook.com
  • mts.ru
  • murmansk.mts.ru
  • nb-no.facebook.com
  • ne-np.facebook.com
  • nl-nl.facebook.com
  • nn-no.facebook.com
  • nnov.mts.ru
  • norilsk.mts.ru
  • nov.mts.ru
  • nsk.mts.ru
  • odnoklassniki.ru
  • omsk.mts.ru
  • orel.mts.ru
  • orenburg.mts.ru
  • pa-in.facebook.com
  • penza.mts.ru
  • perm.mts.ru
  • pl-pl.facebook.com
  • primorye.mts.ru
  • ps-af.facebook.com
  • pskov.mts.ru
  • pt-br.facebook.com
  • pt-pt.facebook.com
  • rnd.mts.ru
  • ro-ro.facebook.com
  • ru-ru.facebook.com
  • ryazan.mts.ru
  • sakh.mts.ru
  • sakha.mts.ru
  • salehard.mts.ru
  • samara.mts.ru
  • saratov.mts.ru
  • sk-sk.facebook.com
  • sl-si.facebook.com
  • smolensk.mts.ru
  • spb.mts.ru
  • spb.mts.ru
  • sq-al.facebook.com
  • sr-rs.facebook.com
  • stavropol.mts.ru
  • sv-se.facebook.com
  • sw-ke.facebook.com
  • ta-in.facebook.com
  • tambov.mts.ru
  • tatarstan.mts.ru
  • te-in.facebook.com
  • th-th.facebook.com
  • tl-ph.facebook.com
  • tomsk.mts.ru
  • tr-tr.facebook.com
  • tula.mts.ru
  • tumen.mts.ru
  • tver.mts.ru
  • tyva.mts.ru
  • udm.mts.ru
  • uk-ua.facebook.com
  • uln.mts.ru
  • vi-vn.facebook.com
  • vk.com
  • vkontakte.ru
  • vladimir.mts.ru
  • volgograd.mts.ru
  • vologda.mts.ru
  • voronezh.mts.ru
  • www<dot>alania.mts.ru
  • www<dot>altai.mts.ru
  • www<dot>amur.mts.ru
  • www<dot>arkhangelsk.mts.ru
  • www<dot>arkhangelsk.mts.ru
  • www<dot>astrakhan.mts.ru
  • www<dot>barnaul.mts.ru
  • www<dot>bashkortostan.mts.ru
  • www<dot>belgorod.mts.ru
  • www<dot>bryansk.mts.ru
  • www<dot>buryatia.mts.ru
  • www<dot>chechnya.mts.ru
  • www<dot>chelyabinsk.mts.ru
  • www<dot>chita.mts.ru
  • www<dot>chukotka.mts.ru
  • www<dot>chuvashia.mts.ru
  • www<dot>dagestan.mts.ru
  • www<dot>eao.mts.ru
  • www<dot>ekaterinburg.mts.ru
  • www<dot>elista.mts.ru
  • www<dot>facebook.com
  • www<dot>goodok.mts.ru
  • www<dot>irkutsk.mts.ru
  • www<dot>ivanovo.mts.ru
  • www<dot>kaliningrad.mts.ru
  • www<dot>kaluga.mts.ru
  • www<dot>kamchatka.mts.ru
  • www<dot>karelia.mts.ru
  • www<dot>kbr.mts.ru
  • www<dot>kchr.mts.ru
  • www<dot>kemerovo.mts.ru
  • www<dot>khakasia.mts.ru
  • www<dot>khv.mts.ru
  • www<dot>kirov.mts.ru
  • www<dot>komi.mts.ru
  • www<dot>kostroma.mts.ru
  • www<dot>kras.mts.ru
  • www<dot>kuban.mts.ru
  • www<dot>kuban.mts.ru
  • www<dot>kurgan.mts.ru
  • www<dot>kursk.mts.ru
  • www<dot>lipetsk.mts.ru
  • www<dot>magadan.mts.ru
  • www<dot>magas.mts.ru
  • www<dot>mari-el.mts.ru
  • www<dot>mms.mts.ru
  • www<dot>mordovia.mts.ru
  • www<dot>mpoisk.ru
  • www<dot>mts.ru
  • www<dot>murmansk.mts.ru
  • www<dot>nnov.mts.ru
  • www<dot>norilsk.mts.ru
  • www<dot>nov.mts.ru
  • www<dot>nsk.mts.ru
  • www<dot>odnoklassniki.ru
  • www<dot>omsk.mts.ru
  • www<dot>orel.mts.ru
  • www<dot>orenburg.mts.ru
  • www<dot>penza.mts.ru
  • www<dot>perm.mts.ru
  • www<dot>primorye.mts.ru
  • www<dot>pskov.mts.ru
  • www<dot>rnd.mts.ru
  • www<dot>ryazan.mts.ru
  • www<dot>sakh.mts.ru
  • www<dot>sakha.mts.ru
  • www<dot>salehard.mts.ru
  • www<dot>samara.mts.ru
  • www<dot>saratov.mts.ru
  • www<dot>smolensk.mts.ru
  • www<dot>spb.mts.ru
  • www<dot>spb.mts.ru
  • www<dot>stavropol.mts.ru
  • www<dot>tambov.mts.ru
  • www<dot>tatarstan.mts.ru
  • www<dot>tomsk.mts.ru
  • www<dot>tula.mts.ru
  • www<dot>tumen.mts.ru
  • www<dot>tver.mts.ru
  • www<dot>tyva.mts.ru
  • www<dot>udm.mts.ru
  • www<dot>uln.mts.ru
  • www<dot>vk.com
  • www<dot>vkontakte.ru
  • www<dot>vladimir.mts.ru
  • www<dot>volgograd.mts.ru
  • www<dot>vologda.mts.ru
  • www<dot>voronezh.mts.ru
  • www<dot>yaroslavl.mts.ru
  • www<dot>yugra.mts.ru
  • yaroslavl.mts.ru
  • yugra.mts.ru
  • zh-cn.facebook.com
  • zh-hk.facebook.com
  • zh-tw.facebook.com

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

Additional information

A number of registry entries may be created by the different components of Bafruz in which to store version information or for the malware families own use, for example:

In subkey: HKLM\SOFTWARE\btcclient
Sets value: "ver"
With data: ""<number>" for example, 1.62
Sets value: "close"
With data: "0" or "1"
Sets value: "mainer_cmd"
With data: "0"

In subkey: HKLM\SOFTWARE\systemdrv64
Sets value: "close"
With date: "0"
Sets value: "currentsptime"
With data: "0"
Sets value: "time"
With date: <value>

Analysis by Amir Fouda


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:

    btc_server.exe
    client_8.exe
    ddhttp.exe
    gbot_loader.exe
    iecheck12.exe
    loader2.exe
    loader_rezerv.exe
    udp.exe
    w_distrib.exe%windir%\proc_list1.log

  • The presence of the following registry modifications:

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "sysdriver32.exe"
    With data: "%Windows%\sysdriver32.exe" rezerv

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "sysdriver32_.exe"
    With data: "%Windows%\sysdriver32_.exe" rezerv

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "wxpdrv"
    With data: "%Windows%\services32.exe"

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "l1rezerv.exe"
    With data: "%Windows%\l1rezerv.exe"

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "systemup"
    With data: "%Windows%\systemup.exe"

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    Sets value: "%Windows%\update<number>\svchost.exe"
    With data: "%Windows%\update<number>\svchost.exe:*:enabled:%Windows%\update<number>\svchost.exe"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
    Modifies value: "DisableSR"
    With data: "0"

  • The display of the following alerts:




Prevention


Alert level: Severe
First detected by definition: 1.111.1016.0
Latest detected by definition: 1.127.2061.0 and higher
First detected on: Aug 29, 2011
This entry was first published on: Aug 29, 2011
This entry was updated on: Aug 14, 2012

This threat is also detected as:
No known aliases