This month the Malicious Software Removal Tool (MSRT) includes a new malware family - MSIL/Bladabindi. An interesting part of this family is that the author made three versions of this RAT, written in VB.NET, VBS and AutoIt. The malware builder is also publically available for download.

Because of this, there are many variants in this family, and they spread in many different ways, such as Facebook message and hacked websites. Once installed, malware in this family can be used to take control of a PC and steal sensitive information. We added Bladabindi to the MSRT due to its prevalence throughout 2013.

DESCRIPTION

Figure 1: Telemetry data showing the prevalence of Bladabindi

Bladabindi variants can be created by using the Remote Access Tool (RAT) known as "NJ Rat". We detect this RAT as VirTool:MSIL/Bladabindi.A. Bladabindi can also be downloaded by recent variants of Jenxcus family, which likely has the same author as Bladabindi.

Recently its author released a dedicated downloader to download Bladabindi and run it directly from memory - we detect this as TrojanDownloader:MSIL/Bladabindi.A.

Bladabindi variants are usually installed with an enticing name and icon to trick people into running it. The following are some sample file names:

  • فيس بوك.exe – (Facebook.exe)
  • فيديو قتلى المجموعات الإرهابية.exe – (Video killed the terrorist groups.exe)
  • ! My Picutre.SCR
  • Windows_7_Activators.exe
  • hot.exe
  • StartupFaster.exe

Below are some sample icons:

DESCRIPTION

Figure 2: Some file icons used by Bladabindi

Bladabindi is written in VB.NET, and usually obfuscated with various .NET obfuscators to avoid detection. It uses undocumented APIs to make itself a critical process, which will cause a system crash if it is terminated. This can make it difficult to remove from your PC when the malware is running. MSIL/Bladabindi also has backdoor functionality, including:
  • Using your camera to take picture
  • Running files
  • Registry manipulation
  • Remote shells
  • Key logging
  • Screen captures
  • Loading plugins dynamically
  • Updating
  • Uninstalling
  • Restarting

From information we collected, it seems Bladabindi's author tries to show their ability to develop malware, to help their chances of being hired on to other projects. They even use the following picture (showing infected machines) as the header photo of their Twitter page.

DESCRIPTION

Figure 3: Bladabindi author's Twitter page

Though there is no direct evidence connecting the author, distributor, and online account owner associated with the malware, the same user name is consistently used across multiple forums and social media. Do you remember the infamous Win32/Hupigon worm? - Another case where a malware author wrote a backdoor, but claims they didn't distribute it.

As usual, the best protection from Bladabindi, and other malware or potentially unwanted software is to have up-to-date security software installed and being aware of the risks of social engineering.

Zhitao Zhou, Steven Zhou, and Francis Allan Tan Seng
MMPC