14 DAY TRIAL // Security researchers from the Microsoft Malware Protection Center are warning internauts to be on the lookout for a threat known as Bafruz (Win32/Bafruz).
The multi-component backdoor can perform numerous types of malicious tasks, including Facebook and Vkontakte account hijacking, and Bitcoin mining.
The malicious element is also capable of downloading other malware, disabling antivirus solutions, and it can even be utilized in distributed denial-of-service (DDOS) attacks. To download additional components, the Trojan creates a peer-to-peer network of infected computers.
One of the most interesting aspects of Bafruz is the way in which it disables security solutions.
When it lands on a computer, it starts terminating security processes and presents the victim with a pop-up window that informs of a virus infection (see screenshot). When the user choses to remove the threat – an operation which allegedly needs the computer to be restarted – the fun begins.
The device actually restarts in Safe Mode. Here, the malware can disable all the security products more easily, allowing it to perform its other tasks without being interrupted.
While fake alerts that warn of viruses are not uncommon, Bafruz’s developers have implemented a clever trick. It detects the brand of the antivirus software that’s installed on the target machine and ensures that the false warning replicates the legitimate security application.
This way, the victim is duped into believing that there’s nothing wrong with his/her antivirus.
Microsoft has added Bafruz to the list of threats removed by the Malicious Software Removal Tool (MSRT), so be sure to install the application if you suspect that your computer might be affected by malware from this or the Matsnu family.
The latest version of MSRT is available here.