The backdoor story is a classic. Practically, this type of e-threat consists of a remote attacker illicitly securing access to the victim’s computer and, eventually, taking it over completely. With its “doors” wide open, the affected machine is the perfect place for sensitive data harvesting, to say the least. All hell breaks loose when the infected computer is turned into a server which several other criminal minds, not only the initial attacker, may access and send commands to. Ok, we’ve heard that before. But what’s new this time? Well, a certain kind of…..magic that goes by the name of Visual Basic.Net.Let’s see what the recipe is in this case.
Step 1: Dust the chopping board with some Visual Basic.Net.This will make the whole thing two times tastier. First, the generated code can be run on any machine that has the .NET Framework installed. Considering that this framework is pre-installed in all the latest Windows versions, beginning with Vista, all users thereof are vulnerable to this threat.
Second, unlike other programming languages, such as C++, .NET based languages make it quite easy to accomplish several tasks with only a couple of lines of code, which is probably going to trigger an increase in the number of malicious programs written in this way and higher efficiency and productivity in the future generations of malware writers.
Step 2: Add a good pinch of salt and pepper.Backdoor.MSIL.Bot. will look for specific antivirus solutions that might be installed on the target machine and it will try to kill their processes. This behavior, in itself, is quite uncommon, as not all Trojans come with antivirus killing routines. But what’s even more striking is that this piece of malware’s antivirus hit list is quite long, even longer than the one that’s in the “blood” of Trojans born to be antivirus haters.
Step 3: Gently work all other ingredients into this mix.This piece of malware has several quite interesting backdoor capabilities. For instance, it will steal information about Firefox profiles (e.g. user names, passwords) by basically loading and using several libraries belonging to Mozilla Firefox itself. The Uninstall capability adds to its flavor in as much as, when being commanded to do so, it will completely uninstall the Trojan (erases it and the corresponding registry keys) for which it has opened a way into the system. Backdoor.MSIL.Bot.A will also start a new thread that will constantly send a screen-shot (much like a “Print-screen”) to the remote attacker.
Step 4: Cover in cooking film and DON’T leave it to rest.In order to avoid drawing users’ attention, the Trojan modifies its own windows' opacity, setting it to 0, so that it becomes completely transparent, therefore practically invisible. However, this is definitely not a shy Trojan, as different from its siblings, which may minimize their window, move it outside the visible screen area or simply not show it, Backdoor.MSIL.Bot.A will display its icon if an "Alt+Tab" operation is performed, thereby providing the possibility of switching to its invisible window.
Fig 1. The “invisible” window exposed
No “food poisoning” for BitDefender users in this case, as they’ve already got the Backdoor.MSIL.Bot.A antidote. As always, installing and updating a complete antimalware solutions is just what the doctor would order.
This article is based on the technical information provided courtesy of Andrei Lutas, BitDefender Virus Researcher.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.