Wednesday, November 22, 2017
Home / Malware / Win32/Jabberbot.A uses Jabber Protocol

Win32/Jabberbot.A uses Jabber Protocol

ESET investigators explain that Jabberbot has been primarily targeting users from Ukraine, but they are uncertain how it’s spreading.

For communications, Jabberbot uses one shared account on all the infected hosts, [email protected] Each instance generates one pseudorandom resource identifier, applied by the botmaster to transmit commands with each individual bot.

No encryption and no authentication are used, despite the fact that the XMPP protocol and the jabber.ru service support Transport Layer Security (TLS).

Once executed, Win32/JabberBot.A copies itself into the %windir%\system32 directory with a randomized file name and adds an entry in the Windows registry at [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] in order to start itself on start up.

The malware will also attempt to taint any removable device by replicating itself to the root of the device using a hardcoded filename. While it looked like a random string at first sight, the intrepid eye can distinguish a pattern in it.  The spreading techniques uses a AUTORUN.inf which is a very basic USB spread technique and doesn’t work on most updated systems.

You can view ESET’s full analysis here: LINK

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

New FastPOS malware targeting Point-of-Sale systems

Experts have disclosed a new category of malware, labeled “FastPOS,” that has the ability to quickly …