14 DAY TRIAL // The latest release of the Windows Malicious Software Removal Tool is set up to take on a bot designed to hijack HTTP traffic for several browsers, but also featuring additional malicious capabilities. Dubbed Win32/Cycbot by Microsoft, this piece of malware was apparently christened Gbot by its creators, but it appears that the identifiers no longer use it in the reports that the malicious code sends to its controllers, most probably to make it harder to detect.
Cycbot is a backdoor Trojan, according to the software giant, but Microsoft reveals that while it’s indeed capable of retrieving backdoor commands, such functionality is actually limited.
Cycbot can update itself, as well as download and install additional malicious code, including the fake antivirus Rogue:Win32/FakePAV. Still, it appears that Cycbot’s real purpose is something else entirely.
“Cycbot sets itself up as an HTTP proxy for any machine it affects. It does this by listening on a TCP port such as 54141 (this number varies), and then changing the browser’s proxy settings to point to this port on the local host. It can do this for Internet Explorer, Firefox and Opera,” revealed Microsoft’s Hamish O'Dea.
“By acting as proxy, Cycbot can intercept all HTTP traffic to and from the browser, which enables it to direct your browser wherever it wants.
“For example, it will take a search term you enter into your search engine and pass it to what is effectively an imitation search site - a site that directs you to anywhere that will pay them money for the referral.”
The Redmond company warns customers that in the best case scenarios victims with computers infected by Cycbot can be pointed to pages where they are served advertisements.
But at the same time, the bot can attempt to load more malware on the PCs it has already infected, preferring, it appears, to spread rogue AV, including Rogue:Win32/Winwebsec, in an obvious move to gain money for its controllers.
The Malicious Software Removal Tool (MSRT) is available for download here.