Ancient Bayrob Backdoor Trojan Resurfaces After Nine Years with Updated Versions

[steven36]

After lying dormant for around nine years, new versions of the Bayrob trojan have surfaced, and security researchers say its operators have kept up with the times and updated their malicious code with new features.

 

 

Security experts first stumbled upon Bayrob in the spring of 2007, and saw the last big campaign employing this trojan in the fall of the same year.

Ever since then, the trojan never resurfaced in infections with enough numbers to trigger alerts with any security company, or at least not until last winter, and then two weeks ago, when new versions of this ancient threat started reappearing on some companies' radars.

Bayrob resurfaces with a new look

Initial descriptions categorized this malware as a trojan horse that sets up a proxy server in order to steal sensitive information from compromised computers.

These recent versions didn't change that much, but only added small tweaks here and there, mainly to make reverse engineering harder and to avoid detection on infected targets.

The new versions of Bayrob now clone themselves in order to launch multiple processes, each tasked with its own malicious routine.

Since the trojan is packed inside other files, to avoid situations where the user double-clicks a file and nothing happens, Bayrob now shows an error message telling the user the file doesn't work with his version of Windows, and he needs to upgrade. Of course, this is a static message and will show regardless of platform.

Bayrob now uses encryption and custom C&C protocols

When stealing and exfiltrating information from your computer, Bayrob now also encrypts the data, which prevents nosey security experts and security products from detecting its actions.

C&C server communications are also different now, and Bayrob uses a custom protocol over TCP/IP to talk to its server, also encrypted.

Additionally, the Bayrob trojan also features strong code obfuscation and a lot of dead code, mainly, as mentioned above, to avoid detection and deter researchers from taking a closer look. Of course, the opposite happens, mainly because there's nothing more that draws the attention of an infosec researcher than obfuscated code.

The Source