Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
This month we add another bot to the MSRT family list – Win32/Cycbot. Cycbot was discovered in August 2010 and has quickly become prevalent.
It seems that Cycbot’s creators called it “Gbot”, as it used this name as an identifier in the reports it would send back to its controllers. Recent variants of the malware have stopped using this identifier, possibly in an attempt to make detection more difficult, but the functionality hasn’t changed much. All of Cycbot’s communications are done using HTTP, including the retrieval of backdoor commands. As a backdoor, it’s functionality is limited to capabilities like updating itself and downloading and running other malware; we’ve seen it download Rogue:Win32/FakePAV in the past. Its main purpose, however, is more subtle.
Cycbot sets itself up as an HTTP proxy for any machine it affects. It does this by listening on a TCP port such as 54141 (this number varies), and then changing the browser’s proxy settings to point to this port on the local host. It can do this for Internet Explorer, Firefox and Opera.
By acting as proxy, Cycbot can intercept all HTTP traffic to and from the browser, which enables it to direct your browser wherever it wants. For example, it will take a search term you enter into your search engine and pass it to what is effectively an imitation search site - a site that directs you to anywhere that will pay them money for the referral. At best, this will lead to an advertisement that is unrelated to what you were searching for; however, often it leads to more malware. Right now, several of the “search” results that Cycbot loads attempt to install malware, including one page that looks quite familiar.
Spending as much time as I do looking at rogues, I am all too familiar with this kind of sham. This one is currently pushing Rogue:Win32/Winwebsec.
Cycbot is a type of “intermediate” malware – a means to an end, in many ways reminiscent of Win32/Renos. Controlling the browser can provide its creators with diverse ways of exploiting an affected user, while causing the user various kinds of pain.
-- Hamish O'Dea