For this month's Microsoft Malicious Software Removal Tool (MSRT) release, we will include two families: Win32/Matsnu and Win32/Bafruz. Our focus for this blog will be Bafruz, which is a multi-component backdoor that creates a Peer-to-Peer (P2P) network of infected computers (using C&C, for instance), and includes a nasty list of payloads, as well as unique means of disabling security and antivirus products.
Win32/Bafruz contains components, which achieve a number of objectives for the attacker, such as hijacking Facebook and Vkontakte accounts, launching Distributed Denial of Service attacks, performing Bitcoin mining, downloading malware, and disabling security and antivirus products.
Let's delve a bit further into its payload of disabling security and antivirus products. Upon first receiving this component, it simply appeared to terminate a long list of security processes listed in its code. It also displayed alerts in the system tray similar to those displayed by your run-of-the-mill rogue application, as shown below:
But unlike your common rogue, there is no mention of any sort of payment required in order to remove this threat. All it asks is for a reboot of the computer.
So, what happens when one chooses to interact with this alert and "Remove" this so called virus? This is where the true nature of this backdoor comes to light. Clicking on the "Remove" option causes the computer to reboot in safe mode (note: if the affected user does not click "Remove" and trigger a reboot, the backdoor will eventually force reboot). This gives Bafruz the opportunity to remove components of the installed antivirus product from the system, thus disabling it completely. So in fact, the list of security and antivirus processes listed in the Bafruz description is used by the backdoor to detect which product is installed, in order for it to remove its components, as well as display the following alert once the reboot is complete:
In our test environment, we had Microsoft Security Essentials (MSE) installed, hence why this alert is masquerading as a message from MSE. If we were running another security product in our environment, and it was contained within Bafruz's list of targets (listed in the Win32/Bafruz family description), the alert would contain the name of that product instead. So this may lead the user into believing all is well with their security product, as it is now running in "Enhanced protection mode", while in the meantime, Bafruz is downloading additional components and malware onto the computer in the background through its P2P network.