The malicious element also looks for documents that contain keywords such as KGB and CIA

Mar 23, 2012 09:28 GMT  ·  By

ESET researchers identified a cleverly designed botnet that targets sensitive information from Georgian users. The Trojan that powers it can not only steal documents and digital certificates, but it can also create audio and video recordings, and scan the local network in search for valuable data.

Experts determined that this particular malware, dubbed Win32/Georbot, looks for Remote Desktop Configuration files, which can allow its masters to connect to remote machines even without using the now-famous Remote Desktop Protocol (RDP) vulnerability that affects Windows operating systems.

An interesting feature is Georbot’s capability to automatically update itself to ensure that antivirus solutions have a hard time detecting it. Furthermore, it also comes with a backup mechanism in case it can’t reach its command and control (C&C) server.

This mechanism dictates the Trojan to connect to a special webpage hosted on a Georgian government server in case it can’t access its regular C&C. Of course, this doesn’t necessarily mean that the state is behind the whole thing, instead it highlights the fact that governments fail to locate and fix compromised websites.

The researchers also discovered the botnet’s control panel which allowed them to establish the exact number of infected machines. The figures showed that 70% of the infections were in Georgia, 5% in the United States and close to 4% in Germany.

The control panel also revealed a list of keywords that the Trojan looks for on an infected system. It turns out that the Trojan searches for documents that contain words such as KGB, FSB and CIA. “Win32/Georbot uses various obfuscation techniques to make static analysis more difficult, but for experienced malware analysts that is not much of a problem to overcome, and Win32/Georbot was well worth the time it took to undertake a detailed analysis,” ESET Senior Research Fellow Righard Zwienenberg wrote.

Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile.