Microsoft Unveils Backdoor Trojan Bafruz

Microsoft has lately uncovered Trojan Bafruz one with backdoor characteristics and featuring a capacity to perform many malevolent activities on any infected PC, published scmagazine.com.au dated August 16, 2012.

Describing the malevolent activities, MMPC (Microsoft malware Protection Center) says that Bafruz can delete security programs like anti-viruses, record communications on social-networking websites such as Vkontakte and Facebook, load Bitcoin harvesting programs, as also carry out DOS (denial of service) assaults. Additionally, it can exchange messages with P2P shared computers so fresh malicious elements can be pulled down onto the host PCs.

Further, while beginning the attack, the Bafruz payload apparently stops numerous security processes the malware's code contains as listed. Thereafter, it exhibits one false system alert, which's similar to any ordinary fake anti-virus scam. But there's a distinction, says Microsoft, i.e. the said alert doesn't direct the user to pay for eliminating the supposed malware. It merely seeks to get the contaminated end-user to restart his computer. Thus, when the end-user abides by the alert followed with hitting on the 'remove' button, he has his system restarted within safe mode that then facilitates Bafruz in eliminating any possible AV solution.

Contrarily, when the infected end-user doesn't hit on 'remove,' but initiates one restart, in such a situation the Bafruz Trojan ultimately force restarts.

As a result, the malware gets an opportunity for eliminating the loaded AV part-by-part from the computer and deactivating it wholly. Thus actually, all the anti-virus along with other security processes named within Bafruz' list enables the backdoor for determining what software is installed, on the contaminated PC, of whose elements it must eliminate, along with showing a bogus security warning supposedly from MSE (Microsoft Security Essentials).

Also according to Microsoft, suppose it ran another security item during its investigation, as well as it was part of the Bafruz's Win32/Bafruz group of targets for attack then the warning will have that item's name rather than mention of MSE. Naturally, the end-user will then believe his security item is doing fine since it's currently within "Enhanced Protection Mode" whilst the Bafruz quietly pulls down more malware on the affected system.

Related article: Microsoft Counters Cybersquatters

» SPAMfighter News - 8/23/2012