The Federal Criminal Police Office (Bundeskriminalamt; BKA) has made a successful strike against cyber criminals by halting the distribution of Dropperbot. The main task of the malware, which, according to initial reports, has infected 11,000 computers across the world, was to steal data from infected computers – until it was discovered. Around half of the infections have been detected in Germany. Now that the perpetrators have been arrested, it is a matter of cleaning up the PCs. G DATA is providing all computer users with a free tool to detect and remove Dropperbot that works independently of the installed AV software.
The malware was hidden and distributed in apparently innocuous files on Usenet. Being suitably disguised, it actually consisted of executable files that installed the malware on the PC after clicking to open them. Users who have not activated the file extension display would not have seen the ".exe" ending and so would have been fooled by the icons used by the perpetrators.
Even though there were a number of apparently genuine files in circulation, the same malware was concealed behind all of them – a downloader. Its main function can be specified as "download & execute".
First the malware tries to embed itself permanently on the PC and become a fixture that is reactivated following every restart of the computer. To do so, it sets up various autostart entries in the registry that depend on whether it is being run with or without administrator rights.
The main function of the downloader is then put to use – establish a connection to a predefined server and download additional (malware) files from there. The G DATA protection technologies detect this malware. The signature name is Win32.Trojan.DropperBot.A.
The experts at G DATA SecurityLabs are currently aware of two different malware files that the downloader is able to download onto infected PCs. Both files can be called stealers, their main task being to intercept and smuggle out data from the infected devices.
Of particular technical interest is the fact that both files are disguised .NET developments. They encrypt and execute other non-.NET components within the memory without storing files on the hard drive. They use CMemoryExecute.dll to do so. This technique makes it difficult for virus signatures to detect the malicious files. The G DATA protection technologies identify both of these malware files as Win32.Trojan-Stealer.DropperBot.B.
This malicious file is heavily reminiscent of a stealer offered in the underground, numerous versions of which have already been used for stealing data. A variant of the stealer that comes with a very wide range of functions can be purchased for around US$ 35. Things it can do include:
The stolen data is then forwarded to a predefined address. When doing so, passwords and other text-based data are stored and sent as unencrypted .txt files.
This stealer bears some similarities to the first – for example, it shares the same encryption structure and the same module name. Its capabilities are not so widespread as those of the first stealer; however, the main functions of this malware are:
The G DATA Dropperbot Cleaner detects and removes the malware. It does so by identifying autostart entries in the registry as well as the Dropperbot itself. The system is then cleaned up. Please note that this tool only cleans up an existing Dropperbot infection. However, as it is possible that copies of this malware plus additional malicious software are located on the system, you are strongly recommended to run a full examination of the computer using a comprehensive antivirus program.