Exploit Leads to Remote Code Execution

Malware authors use existing software vulnerabilities in order to place their piece of malicious code into the victim

Zero-day exploits have been extremely popular and prolific this year – so popular that they became one of the most important sources of malware dissemination. That is also the case of an interesting malicious duo starring Exploit.CVE-2010-3962.B as infection vector and Win32.Backdoor.Banito.A as the ultimate payload.

Win32.Backdoor.Banito.A is acting as a companion, which means that it “hijacks” executable files that are larger than zero bytes. When the infection is triggered, the Trojan creates a copy of all applications that are running at that point, but removes their executable extension. Right after that, it injects its viral code into the original executable file, which allows it to launch whenever the user tries to open the original program. Win32.Backdoor.Banito.A is however cautious not to infect files that belong to popular browsers, instant messaging applications, antiviruses, games, text and image processing software or to the very operating system. 

Furthermore, it also adopts the icon of the original file and other resources, in order to complete its disguise and look exactly like the file it impersonates.

Win32.Backdoor.Banito.A also checks from time to time to see if there are further running processes that have not been infected yet. If it finds new applications, it will immediately create companions for them as well. This way, each and every running process on the system will have a “personal” companion at some point. When executed, the infected application will run properly, which makes the Trojan extremely difficult to detect. 

As an extra precaution, Win32.Backdoor.Banito.A creates a backup file with the .bak extension, just in case the original file is deleted.

Additionally, Win32.Backdoor.Banito.A acts as a backdoor and accepts commands sent through TCP/IP and UDP. Analysis revealed that the backdoor takes screenshots of the desktop, captures the web-cam feed, and it sends info about the users and administrators, or about the installed drives and operating system. It may also shut down or restart the system, delete, copy and/or rename files, create directories or list files in certain directories.

The technical information in this article is available courtesy of BitDefender virus researcher Doina Cosovan.

About the author


A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.