Win32/Georbot – Information Stealing Trojan and Botnet Operating in Georgia
Created: 2012-03-21 00:00:00
Win32/Georbot – Information Stealing Trojan and Botnet Operating in Georgia
BRATISLAVA – Earlier this year researchers at ESET, the leader in proactive protection against cyber-threats, discovered a botnet that has some very interesting communication features. Amongst other activities, it tries to steal documents and certificates, is capable of creating audio and video recordings and browses the local network for information. Interestingly, it uses a Georgian governmental website to update its command and control information and ESET researchers therefore believe that Win32/Georbot is targeting computer users in Georgia. Yet another unusual characteristic of this malicious program is that it looks for “Remote Desktop Configuration Files” and thereby enables attackers stealing these files to To upload them to remote machines machines without exploiting any vulnerability. What is more worrying is that the development of this malware is ongoing; ESET has found fresh variants in the wild as recently as March 20th.
Win32/Georbot features an update mechanism to enable it to morph into new versions of the bot, in an attempt to remain undetected by anti-malware scanners. The bot also has a fall-back mechanism in case it can’t reach the C&C (Command-and-Control) server: in that event it will then connect to a special webpage that was placed on a system hosted by the Georgian government. “This does not automatically mean that the Georgian government is involved. Quite often people are not aware their systems are compromised,” says Pierre-Marc Bureau, ESET Security Intelligence Program Manager. “It should be also noted that the Data Exchange Agency of the Ministry of Justice of Georgia and its national CERT were fully aware of the situation as early as 2011 and, in parallel to their own – still ongoing – monitoring, have worked together with ESET on this matter,” he added. Of all the infected hosts, 70% were located in Georgia followed by far lower volumes in the United States, Germany and Russia. ESET’s researchers were also able to get access to the bot’s control panel, yielding clear details about the number of affected machines, their location, and commands that might be sent to them. The most interesting information found on the control panel was a list with all the keywords that were targeted in documents on infected systems. Among the English-language words were “ministry, service, secret, agent, USA, Russia, FBI, CIA, weapon, FSB, KGB, phone, number” among several others. |
“The functionality allowing the recording of video via the webcam, the taking of screenshots, and the launch of DDoS attacks was seen to be used a couple of times,” says Bureau. The fact that the botnet uses a Georgian website to update its C&C information, and that it probably used the same website to spread, suggests that people in Georgia might be a primary target. On the other hand, the level of sophistication for this threat is low. ESET researchers think that if this operation were state-sponsored, it would be more professional and stealthy. The most likely hypothesis is that Win32/Georbot was created by a group of cyber criminals trying to find sensitive information in order to sell it to other organizations.
“Cybercrime is getting more professional and more targeted with larger players entering the field as well. Win32/Stuxnet and Win32/Duqu are examples of high tech cybercrime and served a specific purpose, but even Win32/Georbot, while less sophisticated, still has unique (new) features and methods to get to the core of what its creators are after. In the case of Win32/Georbot the aim is to gather access to systems and lots of specific information: hence the search for Remote Desktop configuration files,” concludes Senior Research Fellow at ESET Righard Zwienenberg.
About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. Headquartered in Hong Kong, the Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Version 2 Singapore Pte Ltd is the local office of Version 2 Limited.
For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.