silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,056
A recently discovered backdoor can spread itself over a local network, in addition to allowing attackers to install additional malware onto compromised machines.
Initially observed in February this year, when still in testing phase, and dubbed Plurox, the backdoor is written in C and compiled with Mingw GCC. It uses the TCP protocol for communication with the command and control (C&C) server and supports a variety of plugins to expand capabilities.
While analyzing the malware, Kaspersky’s security researchers discovered that it uses two different ports to load plugins. The ports and the C&C addresses are hardcoded into the bot.
The researchers also discovered two subnets of malicious activity. In one of them the backdoor receives only miners (auto_proc, auto_cuda, auto_gpu_nvidia modules) from the C&C, while in the other it also receives several plugins, in addition to miners (auto_opencl_amd, auto_miner).
The botnet supports a total of seven commands, which allow it to download and execute files using WinAPI CreateProcess, update the bot, delete and stop (delete own service, remove from autoload, delete files, remove artifacts from registry), download and run/stop/stop and delete/update plugin (stop process and delete file of old version, load and start new one).
The backdoor can install one of several cryptocurrency miners, depending on the system configuration. For that, the bot sends information about the system to the C&C, which then tells it which plugin to download.
Plurox: Modular backdoor
The analysis showed the Backdoor.Win32.Plurox to have a few quite unpleasant features. What’s more, the backdoor is modular, which means that its functionality can be expanded with the aid of plugins.
securelist.com