BKA strikes a blow against botnet operators


The Federal Criminal Police Office (Bundeskriminalamt; BKA) has made a successful strike against cyber criminals by halting the distribution of Dropperbot. The main task of the malware, which, according to initial reports, has infected 11,000 computers across the world, was to steal data from infected computers – until it was discovered. Around half of the infections have been detected in Germany. Now that the perpetrators have been arrested, it is a matter of cleaning up the PCs. G DATA is providing all computer users with a free tool to detect and remove Dropperbot that works independently of the installed AV software.

How Dropperbot gets onto the PC

The malware was hidden and distributed in apparently innocuous files on Usenet. Being suitably disguised, it actually consisted of executable files that installed the malware on the PC after clicking to open them. Users who have not activated the file extension display would not have seen the ".exe" ending and so would have been fooled by the icons used by the perpetrators.

The initial malware – a downloader

Even though there were a number of apparently genuine files in circulation, the same malware was concealed behind all of them – a downloader. Its main function can be specified as "download & execute".

First the malware tries to embed itself permanently on the PC and become a fixture that is reactivated following every restart of the computer. To do so, it sets up various autostart entries in the registry that depend on whether it is being run with or without administrator rights.

The main function of the downloader is then put to use – establish a connection to a predefined server and download additional (malware) files from there. The G DATA protection technologies detect this malware. The signature name is Win32.Trojan.DropperBot.A.

The downloaded software – two stealers

The experts at G DATA SecurityLabs are currently aware of two different malware files that the downloader is able to download onto infected PCs. Both files can be called stealers, their main task being to intercept and smuggle out data from the infected devices.

Of particular technical interest is the fact that both files are disguised .NET developments. They encrypt and execute other non-.NET components within the memory without storing files on the hard drive. They use CMemoryExecute.dll to do so. This technique makes it difficult for virus signatures to detect the malicious files. The G DATA protection technologies identify both of these malware files as Win32.Trojan-Stealer.DropperBot.B.

Stealer number 1

This malicious file is heavily reminiscent of a stealer offered in the underground, numerous versions of which have already been used for stealing data. A variant of the stealer that comes with a very wide range of functions can be purchased for around US$ 35. Things it can do include:

  • monitoring social media platforms such as Facebook, Google+ and Twitter
  • using prefabricated modules to read passwords for popular email clients and browsers
  • stealing eWallets such as Bitcoins
  • generating screenshots of the infected computer
  • searching the PC for installed AV products
  • reading data from the clipboard
  • using keylogger functions to intercept all keyboard input
  • preventing various functions and commands on the infected PC, such as:
    • visiting websites encrypted with SSL
    • visiting certain websites containing security data
    • calling up Windows Task Manager and the command line.

The stolen data is then forwarded to a predefined address. When doing so, passwords and other text-based data are stored and sent as unencrypted .txt files.

Stealer number 2

This stealer bears some similarities to the first – for example, it shares the same encryption structure and the same module name. Its capabilities are not so widespread as those of the first stealer; however, the main functions of this malware are:

  • to read names and passwords from the profile.ini files of Firefox, Thunderbird and Seamonkey
  • to steal access data for email accounts (POP3, IMAP, SMTP) and HTTP user data
  • to provide backdoor functionality for the attackers
  • to change the PC's host file and prevent the user visiting specified websites (e.g. security-related or AV manufacturer sites)
  • to connect to predefined IPs (e.g. to download more code).

The G DATA Dropperbot Cleaner Tool

The G DATA Dropperbot Cleaner detects and removes the malware. It does so by identifying autostart entries in the registry as well as the Dropperbot itself. The system is then cleaned up. Please note that this tool only cleans up an existing Dropperbot infection. However, as it is possible that copies of this malware plus additional malicious software are located on the system, you are strongly recommended to run a full examination of the computer using a comprehensive antivirus program.

Official press release by BKA (German): www.bka.de
Download: G DATA Dropperbot Cleaner Tool