ESET investigators explain that Jabberbot has been primarily targeting users from Ukraine, but they are uncertain how it’s spreading.
For communications, Jabberbot uses one shared account on all the infected hosts, [email protected]. Each instance generates one pseudorandom resource identifier, applied by the botmaster to transmit commands with each individual bot.
No encryption and no authentication are used, despite the fact that the XMPP protocol and the jabber.ru service support Transport Layer Security (TLS).
Once executed, Win32/JabberBot.A copies itself into the %windir%\system32 directory with a randomized file name and adds an entry in the Windows registry at [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] in order to start itself on start up.
The malware will also attempt to taint any removable device by replicating itself to the root of the device using a hardcoded filename. While it looked like a random string at first sight, the intrepid eye can distinguish a pattern in it. The spreading techniques uses a AUTORUN.inf which is a very basic USB spread technique and doesn’t work on most updated systems.
You can view ESET’s full analysis here: LINK
