Georbot information stealing Trojan uncovered

ESET revealed its analysis of Georbot, an information stealing Trojan and botnet spreading in the country of Georgia.

Earlier this year ESET’s global research team uncovered Win32/Georbot, a botnet that has some very interesting communication features. Amongst other activities, it tries to steal documents and certificates, is capable of creating audio and video recordings, and can browse a local network for information.

Interestingly, it uses a Georgian governmental website to update its command and control (C&C) information and thus ESET researchers believe that Georbot is targeting computer users in Georgia.

Another unusual characteristic of the malicious program is that it looks for “Remote Desktop Configuration Files” and thus enables attackers stealing these files to upload them to remote machines without exploiting any vulnerability.

What is more worrying is that the development of this malware is ongoing; ESET found fresh variants in the wild as recently as March 20, 2012.

Georbot features an update mechanism to morph into new versions of the bot as an attempt to remain undetected by anti-malware scanners. The bot also has a fallback mechanism in case it can’t reach the C&C server; in that case it will then connect to a special webpage that was placed on a system hosted by the Georgian government.

“This does not automatically mean that the Georgian government is involved. Quite often people are not aware their systems are compromised,” said Pierre-Marc Bureau, ESET security intelligence program manager. “It should be also noted that the Data Exchange Agency of the Ministry of Justice of Georgia and its national CERT were fully aware of the situation as early as 2011 and, parallel to their own – still ongoing – monitoring, have cooperated with ESET on this matter. Of all the infected hosts, 70 percent were located in Georgia followed by the United States, Germany and Russia.”

ESET’s researchers were also able to get access to the bot’s control panel yielding clear details about the number of affected machines, their location and possible commands.

The most interesting information found on the control panel was a list with all the keywords that were targeted in documents on infected systems. Among the English-language words were: ministry, service, secret, agent, USA, Russia, FBI, CIA, weapon, FSB, KGB, phone and number.

“The functionality to record video via the webcam, take screenshots, and launch DDoS attacks was used a couple of times,” said Bureau. “The fact that it uses a Georgian website to update its C&C information, and that it probably used the same website to spread, suggests that people in Georgia might be a primary target.”

On the other hand, the level of sophistication for this threat is low. ESET researchers think that if this operation were sponsored by a state, it would be more professional and stealthy. The most likely hypothesis is that Win32/Georbot was created by a group of cyber criminals trying to find sensitive information in order to sell it to other organizations.

“Cybercrime is becoming more professional and targeted with the larger players entering the field. Win32/Stuxnet and Win32/Duqu are examples of high tech cybercrime and served a specific purpose, but also the less sophisticated Win32/Georbot still has new unique features and methods to get to the core of what the creators are after,” said Righard Zwienenberg, senior research fellow at ESET. “With Win32/Georbot there is lots of specific information and access to systems – hence the search for Remote Desktop Configuration Files.”