A rather strong wave of old malware is resurfacing the Web. In this article we will analyze the Bayrob Trojan (Win32/Bayrob, Trojan.Bayrob!gen8, Trojan.Bayrob) which hasn’t been active for at least 9 years. The threat has been updated and set on the loose. Bayrob’s malicious code is now more precise and is up-to-date with recent malware.
|Type||Trojan, Infostealer, Backdoor|
|Short Description||The Trojan hasn’t been active for over 9 years, but has been just caught active by security researchers.|
|Symptoms||An error message is displayed “This application is not compatible with the recent version of Windows you’re running…”.|
|Distribution Method||Spam email attachments.|
|Detection Tool|| See If Your System Has Been Affected by Bayrob Trojan |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Bayrob Trojan.|
A Look into Bayrob’s Latest Infections
Bayrob December 2015
Bayrob hasn’t been active since 2007, at least not in aggressive and widely-spread campaigns. However, the threat re-emerged last winter, in December, when it was spotted again by security researchers. Bayrob was spreading via malicious attachments in emails trying to impersonate Amazon.
Bayrob classifies as an infostealer and a backdoor type of Trojan. During December’s attacks, the Trojan was set to steal and send to a command and control server the following details from a victim’s machine:
- OS version
- Computer Name
- PC’s IP Address
- Information about the OS and system settings
- MAC address
- List of running services
Bayrob was spotted active again about 2 weeks ago. Apparently, the Trojan has new versions and its code has been modified to evade reverse engineering and detection.
Bayrob Version 2016
What hasn’t been changed in Bayrob’s code? In both its past and current attacks, the Trojan is designed to set up a proxy server to steal sensitive information from victim machines. What’s new in Bayrob is its improved capability to avoid detection and clone itself to launch multiple processes. Each of the processes (services) has its own malicious task to handle.
Fortinet researchers have discovered that Bayrob’s original sample:
drops one copy of itself, runs the first copy, and exits. The name of the first copy is a fixed prefix (“ulms” in the sample we analyzed), appended with a randomly generated string. The original process also displays a fake error message to hide its actual malicious behavior. Below [see picture] shows how it achieves this and the actual message. The first copy then drops another copy of itself. It also creates and starts a service, as shown below. The service runs major tasks such as C&C communication.
Bayrob is also capable of differentiating its running stage in the multiple processes/services by file names. The Trojan also drops identifiers to recognize its lifecycle stage.
Its latest versions are also set to perform code obfuscation, use dead code and apply encryption. Bayrob is now able to encrypt data while harvesting and exfiltrating data from the victim’s computer. The encryption usually gets in the way of security researchers’ analysis and anti-malware software’s detection.
Learn More about Code Obfuscation
Bayrob’s communications with its command & control server are also encrypted, and it also uses a custom protocol over TCP/IP.
Finally, here is a list of Bayrob’s detection names, via VirusTotal:
- Trojan.Bayrob.1 [Dr.Web]
- a variant of Win32/Bayrob.AA [ESET-NOD32]
- W32/Bayrob.T!tr [Fortinet]
- Trojan.Win32.Bayrob [Ikarus]
- TrojanSpy:Win32/Nivdort.AF [Microsoft]
- Mal/Bayrob-B [Sophos]
- TROJ_BAYROB.SM0 [TrendMicro-HouseCall]
- Gen:Variant.Diley.1 [Bitdefender]
- Win32/Cryptor [AVG]
Remove Bayrob Trojan and Protect Your System
As with other Trojans, the most secure way to prevent an infection is via having an active anti-malware protection on the system. If you have been affected, refer to the removal steps below to try and remove the Trojan completely, automatically or manually.